Search squid archive

Re: Sibling peers not talking to each other

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Rigby wrote:
Hello,

I've just set up my first Squid server. So far I've been very impressed with
the performance. I would have been lost without this list so thanks for all
your help.

My config seems to work, but the peers are not talking to each other at all
and I was hoping that someone on this (extremely helpful) list can help me
out. Here are the parameters:

- 3 Squid servers running in accelerator mode

What version?  All my responses assume at least 2.6.

- Each server has its own cache (I have plenty of space available)
- 3 web servers
- 3 different domains are served by these servers (domain.com,
test.domain.com, dev.domain.com) and each goes to a different origin server.

I'm assuming (from the config below) that you mean there are three domains, all of which are hosted on all three of the origin servers, but currently, each Squid server is assigned its own origin server.

- I want the Squid servers to query each other before going to the parent
(this is not working)
- I have set up the peers as siblings (not sure if this is correct)
- Each server has a different origin server defined (webserver 1, 2, 3
respectively)
- I pretty much always want to serve from the cache regardless of header (We
enforce unique file names)
- This server only serves jpg, png, gif, js, css, and txt

So I have four questions:

1. Is it possible to round robin the origin server instead of defining
different IPs for each server?

Yes. But I'm not sure you are going to be able to do it with the setup you have. To be honest, I'm amazed your setup is working...

2. How can I make the servers talk to each other, before hitting the origin
server?

Setting them up as siblings, and allowing icp access. That much looks correct.

3. Is there anything else odd in my configuration?

Oh yeah...  We'll get to that.  ;o)

4. How can I block all other file types besides images, js, css, txt. I know
this can be done with an acl but thus far I haven't figured it out.

Block them how? Deny caching of other file types? Block replies from the origin servers that are not identified as one of the above mentioned files types? Block requests for objects that are not one of those file types? Clarify this point and I'd be happy to give advice.

Here are the IPs:
Squid 1: 10.155.0.90:80 -> Webserver 1: 10.155.0.101 Squid 2: 10.155.0.91:80
-> Webserver 1: 10.155.0.102 Squid 3: 10.155.0.92:80 -> Webserver 1:
10.155.0.103

Something really bad happened with the line wrapping of the config. I think I've got it parsed correctly...

Squid 1 Config:
visible_hostname img1.squid_server.com
dns_nameservers 10.155.0.240 10.155.0.241

Squid does a pretty good job of using the host OS settings for DNS servers. Usually this directive is not needed.

cache_effective_user  squid
cache_effective_group squid

As long as the user "squid" is a member of the group "squid" cache_effective_group is not needed (and if the user is not a member of the group, that should be fixed).

http_port 127.0.0.1:3128 accel defaultsite=localhost vhost http_port 10.155.0.90:80 accel defaultsite=squid_server.com vhost

Is there something running on localhost port 80? If not, consolidate these two lines to just "http_port 80 accel defaultsite=domain.com vhost" and use localhost port 80 for cache_mgr queries. In any case, defaultsite should be set to the default FQDN you wish to direct visitors to if the HTTP request doesn't contain a Host header (www.domain.com, test.domain.com or dev.domain.com).

cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
forceddomain=www.domain.com name=prod cache_peer_domain prod squid_server.com www.squid_server.com

Here's where things get really weird. Have a gander at http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting. No really... I'll wait.

Notice how it's not specified how many domains the origin server hosts, but there's only ONE cache_peer line? Notice how, in a vhost setup, forceddomain is not used... Both by design.

cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
forceddomain=test.domain.com name=test cache_peer_domain test test.squid_server.com cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange forceddomain=dev.domain.com name=dev cache_peer_domain dev dev.squid_server.com

Replace all the cache_peer and cache_peer_domain lines to this point with...

cache_peer 10.155.0.101 parent 80 0 no-query no-digest no-netdb-exchange originserver round-robin cache_peer 10.155.0.102 parent 80 0 no-query no-digest no-netdb-exchange originserver round-robin cache_peer 10.155.0.103 parent 80 0 no-query no-digest no-netdb-exchange originserver round-robin

If you really don't mind round-robin requests (which for an image/js/css server you wouldn't) it's the simplest choice, otherwise you could use sourcehash for client-server affinity. As I'll mention again later, you really don't want to use cache_peer access or cache_peer_domain in your setup. It's only relevant when you have different content on the back-end servers.

cache_peer 10.155.0.91 sibling 80 3130 allow-miss no-netdb-exchange name=squid2

You might want to drop the no-netdb-exchange from the sibling lines. Especially if you decide to leave query_icmp enabled...

cache_peer 10.155.0.92 sibling 80 3130 allow-miss no-netdb-exchange name=squid3

#headers
reply_header_access Cache-Control deny all header_replace Cache-Control max-age=1209600 refresh_pattern . 0 50% 1209600 ignore-no-cache override-expire override-lastmod reload-into-ims ignore-reload
ignore-no-store ignore-private
reload_into_ims	on

#ICP
query_icmp on

Since all your servers are on the same LAN, don't bother with the ICMP queries.

icp_port 3130
udp_incoming_address 10.155.0.90

Setting udp_incoming_address will prevent using this IP for udp_outgoing_address. Leave it the default, unless you have multiple interfaces, some which SHOULD NOT receive UDP data.

# Basic ACLs
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl mydomain dstdomain .domain.com .squid_server.com localhost .external.alliedadvpub.com acl localnet src 10.0.0.0/16
acl Safe_ports port 80		# http
acl Safe_ports port 3128	# admin
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow mydomain
http_access deny all

Access controls handled... If you decide just to use port 80, you can remove 3128 from Safe_ports.

icp_access allow localnet
icp_access deny all


Drop all of these cache_peer_access lines. You want to have the freedom to query any of your peers for any request.

cache_peer_access prod allow mydomain
cache_peer_access prod deny all
cache_peer_access test allow mydomain
cache_peer_access test deny all
cache_peer_access dev allow mydomain
cache_peer_access dev deny all
#cache_peer_access squid1 allow mydomain localnet #cache_peer_access squid1 deny all cache_peer_access squid2 allow mydomain localnet cache_peer_access squid2 deny all cache_peer_access squid3 allow mydomain localnet cache_peer_access squid3 deny all

You already defined the icp_access once. It's redundant here. No harm, just redundant.

icp_access allow localnet icp_access deny all

(other settings removed)

The other configs are exactly the same except the siblings are configure to
be the other servers and the parent for the main server points to another IP
(a different webserver).

I'm not seeing anything weird in cache.log. It seems to load the siblings
but when I look at the cache manger ICP sent and received is 0.

I'd have to guess this is related to defining udp_incoming_address, and nothing else. If you want to make a simple change, just remove that declaration and see if sibling queries work.

Jeff

Chris


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux