[squid-users] squid intercept config

Yuri Voinov yvoinov at gmail.com
Sat Mar 14 07:29:42 UTC 2015


And dont forget that cache must be warmed up first, before it can cause 
increase HIT-ratio.

14.03.15 6:45, Alberto Perez пишет:
> Thanks a lot Yuri,
> I made some merge with my config and some of this options, I will see 
> now how HIT rate it goes, my squid run so limited of bandwidth that I 
> need to be as much aggressive as I can caching the content.
>
> Thanks again for sharing, very appreciated
>
> Alberto
>
> On Fri, Mar 13, 2015 at 4:01 PM, Yuri Voinov <yvoinov at gmail.com 
> <mailto:yvoinov at gmail.com>> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>     This is know-how to himself. ;)
>
>     To be serious,
>
>     you must carefully play with refresh_pattern(s), and some squid.conf
>     parameters (and also with store ID feature) to get higher HIT ratio.
>
>     Just for example (this is NOT complete config! No responsibility or
>     any guarantees in case of simple copy-n-pasted into your configs! This
>     is AS IS example!):
>
>     # Keep swf in cache even if asked not to
>     refresh_pattern -i \.(swf)(\?|$)        10080   90%  43200 
>      override-expire
>     ignore-reload reload-into-ims ignore-private
>     # .NET cache
>     refresh_pattern -i \.(as(h|p)x?)(\?|$)  10080   90%  43200 
>      reload-into-ims
>     # Updates: Windows, Adobe, Java
>     refresh_pattern -i
>     microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)
>     <http://microsoft.com/.*%5C.%28cab%7Cexe%7Cms[i%7Cu%7Cf%7Cp]%7Casf%7Cwm[v%7Ca]%7Cdat%7Czip%29>
>                        4320
>     80% 43200       reload-into-ims
>     refresh_pattern -i
>     windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)
>     <http://windowsupdate.com/.*%5C.%28cab%7Cexe%7Cms[i%7Cu%7Cf%7Cp]%7Casf%7Cwm[v%7Ca]%7Cdat%7Czip%29>
>     4320 80% 43200  reload-into-ims
>     refresh_pattern -i
>     my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)
>     <http://my.windowsupdate.website.com/.*%5C.%28cab%7Cexe%7Cms[i%7Cu%7Cf%7Cp]%7Casf%7Cwm[v%7Ca]%7Cdat%7Czip%29>
>     4320 80% 43200  reload-into-ims
>     refresh_pattern -i adobe.com/.*\.(zip|exe)
>     <http://adobe.com/.*%5C.%28zip%7Cexe%29>      4320 80%     43200 
>      reload-into-ims
>     refresh_pattern -i java.com/.*\.(zip|exe)
>     <http://java.com/.*%5C.%28zip%7Cexe%29>       4320 80%     43200 
>      reload-into-ims
>     refresh_pattern -i sun.com/.*\.(zip|exe)
>     <http://sun.com/.*%5C.%28zip%7Cexe%29>        4320 80%     43200 
>      reload-into-ims
>     refresh_pattern -i google\.com.*\.(zip|exe)     4320    80%  
>      43200   reload-into-ims
>     refresh_pattern -i macromedia\.com.*\.(zip|exe) 4320    80%    43200
>     reload-into-ims
>     # Other long-lived items
>     refresh_pattern -i
>     \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|webp|flv|mp4)(\?|$)          
>               14400
>     99%     518400  ignore-no-store override-expire ignore-reload
>     reload-into-ims ignore-private ignore-must-revalidate
>     refresh_pattern -i
>     \.((m?|x?|s?)htm(l?)|css|js|xml|php|json)(\?|$)    10080   90%   
>      86400
>     ignore-no-store override-expire override-lastmod reload-into-ims
>     ignore-private ignore-must-revalidate
>     # Default patterns
>     refresh_pattern -i (/cgi-bin/|\?)       0    0%      0
>     refresh_pattern .       0       20%     10080  override-lastmod
>     reload-into-ims
>
>     The example above also requires some additional cached-related
>     parameters to be changed.
>
>     Also, you strictly recommended to research average users activity AND
>     play around VARY http headers.
>
>     And others.
>
>     Each squid setup is place-specific. And depending your access/deny
>     lists, security policy, users/network activity etc.etc.etc.
>
>     WBR, Yuri
>
>     PS. Your question has NO simple answer. Beware - copy-n-paste any
>     foreign config can not guarantee the same results for YOU.
>
>     14.03.15 1:52, Alberto Perez пишет:
>     > Can you share more details about "Agressive dynamic content
>     > caching requires some special tweaks" I am very interested.
>     >
>     > Thanks
>     >
>     >
>     >
>     > On 3/13/15, Yuri Voinov <yvoinov at gmail.com
>     <mailto:yvoinov at gmail.com>> wrote:
>     >
>     >
>     > 13.03.15 23:33, Amos Jeffries пишет:
>     >>>> On 14/03/2015 5:47 a.m., Monah Baki wrote:
>     >>>>
>     >>>> <snip>
>     >>>>
>     >>>>> half_closed_clients off quick_abort_min 0 KB
>     >>>>> quick_abort_max 0 KB vary_ignore_expire on reload_into_ims
>     >>>>> on memory_pools off cache_mem 4096 MB visible_hostname
>     >>>>> isn-phc-cache minimum_object_size 0 bytes
>     >>>>
>     >>>>> maximum_object_size 512 MB maximum_object_size 512 KB
>     >>>>
>     >>>> KB value overwriting MB value.
>     >>>>
>     >>>>
>     >>>>> ipcache_size 1024 ipcache_low 90 ipcache_high 95
>     >>>>> cache_swap_low 98 cache_swap_high 100 fqdncache_size 16384
>     >>>>> retry_on_error on offline_mode off logfile_rotate 10
>     >>>>> dns_nameservers 8.8.8.8 41.78.211.30
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>>> access.log:
>     >>>>>
>     >>>>> 1426267535.210    198 10.0.0.23 TCP_MISS/200 412 GET
>     >>>>> http://jadserve.postrelease.com/trk.gif? -
>     >>>>> ORIGINAL_DST/54.225.133.227 <http://54.225.133.227>
>     image/gif 1426267535.211
>     >>>>> 198 10.0.0.23 TCP_MISS/200 412 GET
>     >>>>> http://jadserve.postrelease.com/trk.gif? -
>     >>>>> ORIGINAL_DST/54.225.133.227 <http://54.225.133.227>
>     image/gif 1426267535.211
>     >>>>> 198 10.0.0.23 TCP_MISS/200 412 GET
>     >>>>> http://jadserve.postrelease.com/trk.gif? -
>     >>>>> ORIGINAL_DST/54.225.133.227 <http://54.225.133.227>
>     image/gif 1426267535.223
>     >>>>> 301 10.0.0.23 TCP_MISS/200 222 GET
>     >>>>> http://rma-api.gravity.com/v1/beacons/log? -
>     >>>>> ORIGINAL_DST/80.239.148.18 <http://80.239.148.18> text/html
>     1426267535.244    195
>     >>>>> 10.0.0.23 TCP_MISS/200 412 GET
>     >>>>> http://jadserve.postrelease.com/trk.gif? -
>     >>>>> ORIGINAL_DST/54.225.133.227 <http://54.225.133.227> image/gif
>     >>>>
>     >>>>
>     >>>> Lots of Akamai hosted requests. Akamai play tricks with DNS
>     >>>> responses.
>     > In my installation I've used local Unbound DNS cache and, before
>     > it, forced DNS interception to him with Cisco. :)
>     >
>     > So, I don't care about any hosts DNS quirks. ;)
>     >
>     >>>>
>     >>>> Check your cache.log for security warnings;
>     >>>> <http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>
>     >>>>
>     >>>>
>     >>>>
>     Note that objects failing the Host validation are not cacheable.
>     >>>>
>     >>>>
>     >>>>> 1426267535.333    423 10.0.0.23 TCP_MISS/200 1420 GET
>     >>>>> http://hpr.outbrain.com/utils/get? -
>     >>>>> ORIGINAL_DST/50.31.185.42 <http://50.31.185.42> text/x-json
>     1426267535.345    412
>     >>>>> 10.0.0.23 TCP_MISS/200 11179 GET
>     >>>>> http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40
>     <http://50.31.185.40>
>     >>>>> text/javascript 1426267535.346 411 10.0.0.23
>     >>>>> TCP_MISS/200 423 GET http://t1.visualrevenue.com/? -
>     >>>>> ORIGINAL_DST/64.74.232.44 <http://64.74.232.44> image/gif
>     >>>>
>     >>>> Not sure about them. Maybe genuine MISS, maybe not.
>     >
>     > Agressive dynamic content caching requires some special tweaks. ;)
>     >
>     >>>>
>     >>>> It could also be the issues Antony pointed out, with the
>     >>>> objects just naturally not being cacheable.
>     >>>>
>     >>>>
>     >>>>> 1426267535.363    128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304
>     >>>>> 327 GET
>     >>>>>
>     http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js
>     >>>>>
>     >>>>>
>     >
>     >>>>>
>     - - ORIGINAL_DST/80.239.152.153 <http://80.239.152.153>
>     application/x-javascript
>     >>>>
>     >>>> There is a hit.
>     >>>>
>     >>>> I guess you are new to Squid-3 ? Squid is HTTP/1.1 compliant
>     >>>> now and the caching rules are slightly different from
>     >>>> requirements on HTTP/1.0 software. A lot of content that
>     >>>> previously could not be stored now can (authenticated,
>     >>>> private, no-cache, etc.). But being sensitive info also
>     >>>> requires revalidation in order to be used, so they show up
>     >>>> like the above.
>     >>>>
>     >>>> Amos
>     >>>>
>     >>>> _______________________________________________ squid-users
>     >>>> mailing list squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     >>>> http://lists.squid-cache.org/listinfo/squid-users
>     >>>>
>     >> _______________________________________________ squid-users
>     >> mailing list squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     >> http://lists.squid-cache.org/listinfo/squid-users
>     >>
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v2
>
>     iQEcBAEBAgAGBQJVA0InAAoJENNXIZxhPexG6JAIALq2tAxa9Vawr1/Rkojl0UFj
>     HQF9p/4mk0ZHPnL4zkV6h/Ctg/s+AgK+O/H38ncn+2JS4eyiZfSHLOxmxkmrKi11
>     av/yjG++JGnhQkic/3y7ETOSkvaDuAbDP+Iwrtuc+kBpJz54No9Pu37oVlIOdMLZ
>     uv/8Bpk9uQEc3kE5FCgCmM2nIr2tuxr6opK6T5DZ2TvcqnQin752P60R91iS7unF
>     XHX3tsGsFvrKflEEC7w1xDRn3u3kSGrx+gPpktA0dv6vT8ATXqPEV5+anIEZVfLZ
>     NKDIwoeSNHYMMknlK7QTUlcNjuq+UXmfcO3mp+eraUQbGRkxwqTPxRwvIqp/43U=
>     =VW9B
>     -----END PGP SIGNATURE-----
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150314/b7d80ad4/attachment-0001.html>


More information about the squid-users mailing list