[squid-users] squid intercept config

Fri Mar 13 20:01:44 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is know-how to himself. ;)

To be serious,

you must carefully play with refresh_pattern(s), and some squid.conf
parameters (and also with store ID feature) to get higher HIT ratio.

Just for example (this is NOT complete config! No responsibility or
any guarantees in case of simple copy-n-pasted into your configs! This
is AS IS example!):

# Keep swf in cache even if asked not to
refresh_pattern -i \.(swf)(\?|$)	10080	90%	43200	override-expire
ignore-reload reload-into-ims ignore-private
# .NET cache
refresh_pattern -i \.(as(h|p)x?)(\?|$)	10080	90%	43200	reload-into-ims
# Updates: Windows, Adobe, Java
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)			4320
80% 43200	reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)	
4320 80% 43200	reload-into-ims
refresh_pattern -i
my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)
4320 80% 43200	reload-into-ims
refresh_pattern -i adobe.com/.*\.(zip|exe)	4320	80%	43200	reload-into-ims
refresh_pattern -i java.com/.*\.(zip|exe)	4320	80%	43200	reload-into-ims
refresh_pattern -i sun.com/.*\.(zip|exe)	4320	80%	43200	reload-into-ims
refresh_pattern -i google\.com.*\.(zip|exe)	4320	80%	43200	reload-into-ims
refresh_pattern -i macromedia\.com.*\.(zip|exe)	4320	80%	43200
reload-into-ims
# Other long-lived items
refresh_pattern -i
\.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|webp|flv|mp4)(\?|$)			14400
99%	518400	ignore-no-store override-expire ignore-reload
reload-into-ims ignore-private ignore-must-revalidate
refresh_pattern -i
\.((m?|x?|s?)htm(l?)|css|js|xml|php|json)(\?|$)			10080	90%	86400
ignore-no-store override-expire override-lastmod reload-into-ims
ignore-private ignore-must-revalidate
# Default patterns
refresh_pattern -i (/cgi-bin/|\?)	0	0%	0
refresh_pattern	.	0	20%	10080	override-lastmod reload-into-ims

The example above also requires some additional cached-related
parameters to be changed.

Also, you strictly recommended to research average users activity AND
play around VARY http headers.

And others.

Each squid setup is place-specific. And depending your access/deny
lists, security policy, users/network activity etc.etc.etc.

WBR, Yuri

PS. Your question has NO simple answer. Beware - copy-n-paste any
foreign config can not guarantee the same results for YOU.

14.03.15 1:52, Alberto Perez пишет:
> Can you share more details about "Agressive dynamic content
> caching requires some special tweaks" I am very interested.
> 
> Thanks
> 
> 
> 
> On 3/13/15, Yuri Voinov <yvoinov at gmail.com> wrote:
> 
> 
> 13.03.15 23:33, Amos Jeffries пишет:
>>>> On 14/03/2015 5:47 a.m., Monah Baki wrote:
>>>> 
>>>> <snip>
>>>> 
>>>>> half_closed_clients off quick_abort_min 0 KB
>>>>> quick_abort_max 0 KB vary_ignore_expire on reload_into_ims
>>>>> on memory_pools off cache_mem 4096 MB visible_hostname
>>>>> isn-phc-cache minimum_object_size 0 bytes
>>>> 
>>>>> maximum_object_size 512 MB maximum_object_size 512 KB
>>>> 
>>>> KB value overwriting MB value.
>>>> 
>>>> 
>>>>> ipcache_size 1024 ipcache_low 90 ipcache_high 95
>>>>> cache_swap_low 98 cache_swap_high 100 fqdncache_size 16384
>>>>> retry_on_error on offline_mode off logfile_rotate 10
>>>>> dns_nameservers 8.8.8.8 41.78.211.30
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> access.log:
>>>>> 
>>>>> 1426267535.210    198 10.0.0.23 TCP_MISS/200 412 GET 
>>>>> http://jadserve.postrelease.com/trk.gif? - 
>>>>> ORIGINAL_DST/54.225.133.227 image/gif 1426267535.211
>>>>> 198 10.0.0.23 TCP_MISS/200 412 GET 
>>>>> http://jadserve.postrelease.com/trk.gif? - 
>>>>> ORIGINAL_DST/54.225.133.227 image/gif 1426267535.211
>>>>> 198 10.0.0.23 TCP_MISS/200 412 GET 
>>>>> http://jadserve.postrelease.com/trk.gif? - 
>>>>> ORIGINAL_DST/54.225.133.227 image/gif 1426267535.223
>>>>> 301 10.0.0.23 TCP_MISS/200 222 GET 
>>>>> http://rma-api.gravity.com/v1/beacons/log? - 
>>>>> ORIGINAL_DST/80.239.148.18 text/html 1426267535.244    195 
>>>>> 10.0.0.23 TCP_MISS/200 412 GET 
>>>>> http://jadserve.postrelease.com/trk.gif? - 
>>>>> ORIGINAL_DST/54.225.133.227 image/gif
>>>> 
>>>> 
>>>> Lots of Akamai hosted requests. Akamai play tricks with DNS 
>>>> responses.
> In my installation I've used local Unbound DNS cache and, before
> it, forced DNS interception to him with Cisco. :)
> 
> So, I don't care about any hosts DNS quirks. ;)
> 
>>>> 
>>>> Check your cache.log for security warnings; 
>>>> <http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>
>>>>
>>>>
>>>> 
Note that objects failing the Host validation are not cacheable.
>>>> 
>>>> 
>>>>> 1426267535.333    423 10.0.0.23 TCP_MISS/200 1420 GET 
>>>>> http://hpr.outbrain.com/utils/get? -
>>>>> ORIGINAL_DST/50.31.185.42 text/x-json 1426267535.345    412
>>>>> 10.0.0.23 TCP_MISS/200 11179 GET
>>>>> http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40 
>>>>> text/javascript 1426267535.346    411 10.0.0.23
>>>>> TCP_MISS/200 423 GET http://t1.visualrevenue.com/? -
>>>>> ORIGINAL_DST/64.74.232.44 image/gif
>>>> 
>>>> Not sure about them. Maybe genuine MISS, maybe not.
> 
> Agressive dynamic content caching requires some special tweaks. ;)
> 
>>>> 
>>>> It could also be the issues Antony pointed out, with the
>>>> objects just naturally not being cacheable.
>>>> 
>>>> 
>>>>> 1426267535.363    128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304
>>>>> 327 GET 
>>>>> http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js
>>>>>
>>>>>
>
>>>>> 
- - ORIGINAL_DST/80.239.152.153 application/x-javascript
>>>> 
>>>> There is a hit.
>>>> 
>>>> I guess you are new to Squid-3 ? Squid is HTTP/1.1 compliant
>>>> now and the caching rules are slightly different from
>>>> requirements on HTTP/1.0 software. A lot of content that
>>>> previously could not be stored now can (authenticated,
>>>> private, no-cache, etc.). But being sensitive info also
>>>> requires revalidation in order to be used, so they show up
>>>> like the above.
>>>> 
>>>> Amos
>>>> 
>>>> _______________________________________________ squid-users
>>>> mailing list squid-users at lists.squid-cache.org 
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJVA0InAAoJENNXIZxhPexG6JAIALq2tAxa9Vawr1/Rkojl0UFj
HQF9p/4mk0ZHPnL4zkV6h/Ctg/s+AgK+O/H38ncn+2JS4eyiZfSHLOxmxkmrKi11
av/yjG++JGnhQkic/3y7ETOSkvaDuAbDP+Iwrtuc+kBpJz54No9Pu37oVlIOdMLZ
uv/8Bpk9uQEc3kE5FCgCmM2nIr2tuxr6opK6T5DZ2TvcqnQin752P60R91iS7unF
XHX3tsGsFvrKflEEC7w1xDRn3u3kSGrx+gPpktA0dv6vT8ATXqPEV5+anIEZVfLZ
NKDIwoeSNHYMMknlK7QTUlcNjuq+UXmfcO3mp+eraUQbGRkxwqTPxRwvIqp/43U=
=VW9B
-----END PGP SIGNATURE-----