[squid-users] Inconsistent accessing of the cache, craigslist.org images, wacky stuff.
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 29 05:18:32 UTC 2015
On 29/10/2015 3:02 p.m., Jester Purtteman wrote:
> Probably a good idea there, I have not used bind in a very, very long
> time, but I will give it a shot.
>
> I am still having some issues, but at least now they're all within
> the bounds of consistent and "what-i-expect" behavior, I just need to
> think through how to outsmart a couple issues. The big one now is
> that many addresses appears to change by the time it the system
> downloads a particularly large file (Windows updates, to be
> specific), so it ends up releasing it almost immediately (because of
> the header spoofing prevention I was talking about in this chain),
The Host header verification happens as the first step of message
processing before anything else. So it should not be the cause, but a
side effect of something else.
I think a worse problem is if the DNS TTL is shorter than a client
connections TCP connected time. Then requests arriving after the DNS TTL
expired would no longer match the initial dst-IP.
As a workaround you could try to reduce the client_idle_pconn_timeout
(2mins) then if that does not help the client_lifetime (24hrs).
It will probably require patching to get a full fix. I've started
thinking of solutions. Maybe remembering Host names used on the
connection, or closing it ASAP after the DNS TTL runs out.
Amos
> which is only frustrating because caching big updates would be a huge
> gain for us. So far, out of 20 GB transferred, about 6-gb has been
> windows/apple updates, and that from several hosts. I'll see if I
> can get BIND to grab that and cache that resolution a little longer,
> and hang on to it, but my bigger question is: if I setup a parent
> proxy that ONLY grabs the big updates down on my big-fast-cheap
> connection, then set my little-slow-expensive-connection up to pull
> from that connection, would that have a higher chance of success?
> Since the proxy on the slow system is requesting the same object, I'm
> wondering if that may work out better. Not sure that will have the
> desired effect, but I'm going to try it out, I'll let you know how
> that works out.
>> -----Original Message-----
>> From: squid-users On
>> Behalf Of Eliezer Croitoru
>>
>> Hey Jester,
>>
>> I know that installing bind would probably not be much of a trouble and I
>> recommend to use it instead of using dnsmasq.
>> It will do everything much better even if you are using it as a forwarder and
>> not a recursive DNS service.
>>
>> Eliezer
>>
>> On 28/10/2015 20:24, Jester Purtteman wrote:
>>> So, I just installed dnsmasq on two of my servers, pointed my clients
>> toward that address, and so far it is working a whoel lot better. My hit rate is
>> up in the 10% range, and that is with a nearly empty cache, so that may be
>> the trick. I only made the change about a short time ago. More importantly,
>> that error in the log has gone away and I am getting consistent caching
>> behavior, so that is huge.
>>>
>>> Thank you!
More information about the squid-users
mailing list