Jeff Rigby wrote:
Hello,
I've just set up my first Squid server. So far I've been very impressed with
the performance. I would have been lost without this list so thanks for all
your help.
My config seems to work, but the peers are not talking to each other at all
and I was hoping that someone on this (extremely helpful) list can help me
out. Here are the parameters:
- 3 Squid servers running in accelerator mode
What version? All my responses assume at least 2.6.
- Each server has its own cache (I have plenty of space available)
- 3 web servers
- 3 different domains are served by these servers (domain.com,
test.domain.com, dev.domain.com) and each goes to a different origin server.
I'm assuming (from the config below) that you mean there are three
domains, all of which are hosted on all three of the origin servers, but
currently, each Squid server is assigned its own origin server.
- I want the Squid servers to query each other before going to the parent
(this is not working)
- I have set up the peers as siblings (not sure if this is correct)
- Each server has a different origin server defined (webserver 1, 2, 3
respectively)
- I pretty much always want to serve from the cache regardless of header (We
enforce unique file names)
- This server only serves jpg, png, gif, js, css, and txt
So I have four questions:
1. Is it possible to round robin the origin server instead of defining
different IPs for each server?
Yes. But I'm not sure you are going to be able to do it with the setup
you have. To be honest, I'm amazed your setup is working...
2. How can I make the servers talk to each other, before hitting the origin
server?
Setting them up as siblings, and allowing icp access. That much looks
correct.
3. Is there anything else odd in my configuration?
Oh yeah... We'll get to that. ;o)
4. How can I block all other file types besides images, js, css, txt. I know
this can be done with an acl but thus far I haven't figured it out.
Block them how? Deny caching of other file types? Block replies from
the origin servers that are not identified as one of the above mentioned
files types? Block requests for objects that are not one of those file
types? Clarify this point and I'd be happy to give advice.
Here are the IPs:
Squid 1: 10.155.0.90:80 -> Webserver 1: 10.155.0.101 Squid 2: 10.155.0.91:80
-> Webserver 1: 10.155.0.102 Squid 3: 10.155.0.92:80 -> Webserver 1:
10.155.0.103
Something really bad happened with the line wrapping of the config. I
think I've got it parsed correctly...
Squid 1 Config:
visible_hostname img1.squid_server.com
dns_nameservers 10.155.0.240 10.155.0.241
Squid does a pretty good job of using the host OS settings for DNS
servers. Usually this directive is not needed.
cache_effective_user squid
cache_effective_group squid
As long as the user "squid" is a member of the group "squid"
cache_effective_group is not needed (and if the user is not a member of
the group, that should be fixed).
http_port 127.0.0.1:3128 accel defaultsite=localhost vhost
http_port 10.155.0.90:80 accel defaultsite=squid_server.com vhost
Is there something running on localhost port 80? If not, consolidate
these two lines to just "http_port 80 accel defaultsite=domain.com
vhost" and use localhost port 80 for cache_mgr queries. In any case,
defaultsite should be set to the default FQDN you wish to direct
visitors to if the HTTP request doesn't contain a Host header
(www.domain.com, test.domain.com or dev.domain.com).
cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
forceddomain=www.domain.com name=prod
cache_peer_domain prod squid_server.com www.squid_server.com
Here's where things get really weird. Have a gander at
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting. No
really... I'll wait.
Notice how it's not specified how many domains the origin server hosts,
but there's only ONE cache_peer line? Notice how, in a vhost setup,
forceddomain is not used... Both by design.
cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
forceddomain=test.domain.com name=test
cache_peer_domain test test.squid_server.com
cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange forceddomain=dev.domain.com name=dev
cache_peer_domain dev dev.squid_server.com
Replace all the cache_peer and cache_peer_domain lines to this point with...
cache_peer 10.155.0.101 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin
cache_peer 10.155.0.102 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin
cache_peer 10.155.0.103 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin
If you really don't mind round-robin requests (which for an image/js/css
server you wouldn't) it's the simplest choice, otherwise you could use
sourcehash for client-server affinity. As I'll mention again later,
you really don't want to use cache_peer access or cache_peer_domain in
your setup. It's only relevant when you have different content on the
back-end servers.
cache_peer 10.155.0.91 sibling 80 3130 allow-miss no-netdb-exchange name=squid2
You might want to drop the no-netdb-exchange from the sibling lines.
Especially if you decide to leave query_icmp enabled...
cache_peer 10.155.0.92 sibling 80 3130 allow-miss no-netdb-exchange name=squid3
#headers
reply_header_access Cache-Control deny all
header_replace Cache-Control max-age=1209600
refresh_pattern . 0 50% 1209600 ignore-no-cache override-expire override-lastmod reload-into-ims ignore-reload
ignore-no-store ignore-private
reload_into_ims on
#ICP
query_icmp on
Since all your servers are on the same LAN, don't bother with the ICMP
queries.
icp_port 3130
udp_incoming_address 10.155.0.90
Setting udp_incoming_address will prevent using this IP for
udp_outgoing_address. Leave it the default, unless you have multiple
interfaces, some which SHOULD NOT receive UDP data.
# Basic ACLs
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl mydomain dstdomain .domain.com .squid_server.com localhost .external.alliedadvpub.com
acl localnet src 10.0.0.0/16
acl Safe_ports port 80 # http
acl Safe_ports port 3128 # admin
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow mydomain
http_access deny all
Access controls handled... If you decide just to use port 80, you can
remove 3128 from Safe_ports.
icp_access allow localnet
icp_access deny all
Drop all of these cache_peer_access lines. You want to have the freedom
to query any of your peers for any request.
cache_peer_access prod allow mydomain
cache_peer_access prod deny all
cache_peer_access test allow mydomain
cache_peer_access test deny all
cache_peer_access dev allow mydomain
cache_peer_access dev deny all
#cache_peer_access squid1 allow mydomain localnet
#cache_peer_access squid1 deny all
cache_peer_access squid2 allow mydomain localnet
cache_peer_access squid2 deny all
cache_peer_access squid3 allow mydomain localnet
cache_peer_access squid3 deny all
You already defined the icp_access once. It's redundant here. No harm,
just redundant.
icp_access allow localnet
icp_access deny all
(other settings removed)
The other configs are exactly the same except the siblings are configure to
be the other servers and the parent for the main server points to another IP
(a different webserver).
I'm not seeing anything weird in cache.log. It seems to load the siblings
but when I look at the cache manger ICP sent and received is 0.
I'd have to guess this is related to defining udp_incoming_address, and
nothing else. If you want to make a simple change, just remove that
declaration and see if sibling queries work.
Jeff
Chris