Jamie Orzechowski wrote:
Since I have moved to a TProxy setup all my traffic is showing up as a TCP_MISS ... Without TProxy I see HIT's all over the place. Any ideas what is causing this?? Running the following IPTables: v1.4.3.2: Kernel: 2.6.28-11-server Squid Cache: Version 3.1.0.8 configure options: '--prefix=/usr' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--sysconfdir=/etc/squid3' '--enable-inline' '--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-follow-x-forwarded-for' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.8 --enable-ltdl-convenience TProxy setup with the following /usr/local/sbin/iptables -t mangle -N DIVERT /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1 /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 1 > /proc/sys/net/ipv4/ip_forward ----------------------------------------------- Here is part of my config acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 66.78.96.0/19 acl localnet src 64.235.192.0/19 acl localnet src 72.0.192.0/19 acl localnet src 192.168.1.0/24 acl localnet src 192.168.254.0/24 hierarchy_stoplist cgi-bin ?
You appear to be under some illusion about what the following directives mean...
cache == don't store the object as is flows through Squid. always_direct == don't send to a configured cache_peer. thus...
acl directurls url_regex -i "/etc/squid3/direct-urls" cache deny localnet
... prevents *_HIT ever occuring if the web object was fetched from localnet.
cache deny directurls
.. prevent storage (thus *_HIT) for any request matching a set of regex patterns.
always_direct allow directurls
.. since no cache_peer entries, merely slows squid down as it does a very slow regex match.
cache allow all
... then lets stuff be cached. Which is normal behavior if none of the above exist.
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localnet http_access allow localhost http_access deny all icp_access allow localnet htcp_access allow localnet icp_access deny all htcp_access deny all htcp_clr_access deny all ident_lookup_access deny all http_port 66.78.102.2:3128 http_port 66.78.102.2:3129 tproxy refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(iso|img|avi|wav|mp3|mp4|mpg|mpeg|swf|flv|x-flv|wma|wmv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 40% 40320
It is a problem mentioned before. Your probably has something to do with this: cache deny localnet What I don't understand is why you get any HIT at all. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
