> -----Original Message----- > From: Vadim Pushkin [mailto:wiskbroom@xxxxxxxxxxx] > Sent: Thursday, November 10, 2005 10:40 AM > To: uhlar@xxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx > Subject: Re: Large Solaris (2.8) Squid Server Advice > Needed > > > > Here is my draft squid.conf file, and my configure options > when I built > squid.. > > NOTE ** I am now looking to turn both of my squid servers > into cache peers > of each other. Both machines have two network interfaces, > and I plan on > dedicating one of these for a "private" LAN connection solely > for ICP use. > Am I stating this properly within my squid.conf? I wish to > ensure that > inter-caching a) does not leak out of interface A, only > interface B (my > private LAN) and that between these two machines on LAN B > (again, private > LAN), that they are able to access each others cache freely. > > Thank you all! > > .vp > > ----------BUILD LINE------- > > ./configure --prefix=/opt/squid/current --enable-storeio=ufs,aufs > --enable-icmp --enable-err-languages=English > --enable-default-err-language=English --disable-hostname-checks > --enable-underscores --enable-stacktrace --enable-async-io > --enable-snmp > --enable-removal-policies=heap,lru > > ## Is there any purpose to specifying both ufs *and* aufs for > --enable-storeio? > ## I built with just aufs and it seems to be working fine, > though I haven't > really > ## stressed it much. As I understand it, specifying both lets you use either. If you are only going to use aufs, just specify aufs. > > -------- SQUID.CONF ------- > > http_port 8080 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_dir aufs /usr/local/squid/cache 51200 64 256 > # Increase maximum object size ? > maximum_object_size 32 MB > # Use this instead? > # maximum_object_size 5000000 KB Depends on your customers' usage patterns. One ~5GB item will save a lot of bandwidth if it's cacheable and requested more than once. On the other hand, it will prevent a bundle of 5MB images to be cached. > cache_mem 4 MB > cache_swap_low 97 > cache_swap_high 100 I'd lower cache_swap_high to 98. With a cache as large as you have, each percent is in the neighborhood of 500MB of data. Setting cache_swap_high will start aggressively purging cached objects when you have around 1GB of cache space free. > > ipcache_size 4096 > ipcache_low 90 > ipcache_high 95 > fqdncache_size 4096 > buffered_logs off > # Use heap LFUDA replacement policy: > cache_replacement_policy heap LFUDA > cache_access_log /usr/local/squid/var/logs/access.log > # cache_access_log /usr/local/squid/cache > # cache_log /dev/null > # cache_store_log none > ftp_user squid_ftp@ > # Keep? > # diskd_program /usr/local/squid/libexec/diskd If you are using aufs as the cache_dir type, you don't need to specify diskd. Actually, you only need to specify it, if it's different from default. > debug_options ALL,1 > #reference_age 6 month > quick_abort_min 1 KB > quick_abort_max 1048576 KB > quick_abort_pct 90 > connect_timeout 30 seconds > read_timeout 5 minutes > request_timeout 30 seconds > client_lifetime 2 hour > half_closed_clients off > pconn_timeout 120 seconds > ident_timeout 10 seconds > shutdown_lifetime 15 seconds > # request_body_max_size 50 MB > request_header_max_size 100 KB > request_body_max_size 1000 KB > > refresh_pattern ^ftp: 1440 50% 86400 > reload-into-ims > refresh_pattern ^gopher: 1440 0% 1440 > reload-into-ims > refresh_pattern . 0 50% 86400 > reload-into-ims > > acl DIALUPS src 192.168.0.0/16 > acl IntraNet_One src 12.20.0.0/16 > acl IntraNet_Two src 12.30.0.0/16 > acl BACKUPS src 12.40.0.0/16 > acl ICP_ONE src 10.20.30.2/255.255.255.252 > acl ICP_ONE src 10.20.30.2/255.255.255.252 Why is ICP_ONE specified twice? I imagine it should either be ICP_TWO (used below) or should just be removed (if ICP_ONE covers the whole subnet). > # > # Everyone Else > # > acl all src 0.0.0.0/255.255.255.255 > # > http_access allow DIALUPS > http_access allow IntraNet_One > http_access deny IntraNet_Two > http_access allow BACKUPS http_access allow ICP_ONE # Otherwise requests for cached content from peers will fail. > # > http_access deny all > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > # > # Define Safe Ports to use. > # > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > # > # Define SSL Ports > # > acl SSL_ports port 443 563 > > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > # > # http_access allow all > # > # ??? One per each network as above? > # Yes. See http://www.squid-cache.org/Doc/FAQ/FAQ-10.html for details. > http_reply_access allow Remote_Access > # > http_reply_access allow DIALUPS > http_reply_access allow IntraNet_One > http_reply_access deny IntraNet_Two > http_reply_access allow BACKUP I don't know if this is going to work as you expect. You are using source based acls with a reply-based control... The recommended minimum (from squid.conf.default) is to allow replies to all. > # > http_reply_access deny all > > cache_mgr squidmgr@xxxxxxxxxx > > visible_hostname squidproxy-1 > > logfile_rotate 14 > > coredump_dir /usr/local/squid/var/cache > > cache_effective_user nobody > cache_effective_group nobody > > # CACHE PEER > icp_port 3130 > # icp_access allow all > # Is this correct? > icp_access allow ICP_ONE > icp_access allow ICP_TWO > In the config that you sent out you haven't defined ICP_TWO. Squid will just complain, but it won't break anything. It shouldn't hurt anything to put "icp_access deny all" here. > # > cache_peer 10.20.30.2 sibling 3128 3130 > You probably want to add proxy-only to your cache_peer line, to prevent duplication of content. > # The other host has > # cache_peer 10.20.30.3 sibling 3128 3130 > > peer_connect_timeout 10 seconds > dns_testnames localhost > Chris
