Search squid archive

Re: Re: TCp_HIT problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Farhad Ibragimov wrote:
 Hello Squid-users,

   Dear Squid Guru

   I  am  install  new  squid  3 days ago . The version is 3.0 15 . The
   problem   is  that  i  don't  see  TCP_HIT (only TCP_MISS)  in  access  log  file  .
   Configuration file is attached . Please help



#       WELCOME TO SQUID 3.0.STABLE15
#       ----------------------------
http_port 3128 transparent
cache_mem 1024 MB
minimum_object_size 2048 KB

?? looks like your problem. Most of the web traffic you will ever see is under 2 MB big.
Average size is somewhere between 32KB and 128KB depending on your clients.

... more point to follow....

icp_port 0
wccp2_router 85.132.32.20
visible_hostname "url..."
url_rewrite_children 20
cache_dir ufs /cache 6000 16 256
cache_swap_low 90
cache_swap_high 95
allow_underscore on
request_header_max_size 128 KB

Please do NOT raise this above 64KB in Squid 3.0!
There are a very large number of remote DDoS vulnerabilities that opens up. The default for each squid version is kept at the largest safe value we can be sure of.


client_persistent_connections on
server_persistent_connections on
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
maximum_object_size 50 MB
######LOG################
access_log /var/squid/logs/access.log squid
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log
###############################
cache_mgr "mail address"
httpd_suppress_version_string on
# SNMP OPTIONS
# -----------------------------------------------------------------------------
#snmp_port 1161
#snmp_access allow snmppublic localhost
#snmp_access deny all
cache_effective_user squid
cache_effective_group squid
###############################################################
acl dayaz  dstdomain .day.az
always_direct allow dayaz
###############################################################
refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire

#refresh_pattern ^ftp:          1440    20%     10080
#refresh_pattern ^gopher:       1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
#refresh_pattern .              0       20%     4320

Please do not alter the four above. They ensure that your cache is not vulnerable to cache poisoning attacks or committing them against other caches.


# ACCESS CONTROLS
##############################################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8


# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localnet

Something has gone wrong. The above line commented out prevents local networks from being serviced by this Squid.
I would expect this config to show constant TCP_MISS:DENIED in access.log.


http_access deny all

icp_access deny all
htcp_access deny all

hierarchy_stoplist cgi-bin ?

#  TAG: debug_options
#       Logging options are set as section,level where each source file
#       is assigned a unique section.  Lower levels result in less
#       output,  Full debugging (level 9) can result in a very large
#       log file, so be careful.  The magic word "ALL" sets debugging
#       levels for all sections.  We recommend normally running with
#       "ALL,1".
#
#Default:
# debug_options ALL,1

icp_port 0
htcp_port 0
log_icp_queries off

allow_underscore on

# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
#wccp_version 4
# wccp2_rebuild_wait on
# wccp2_forwarding_method 1
# wccp2_return_method 1
# wccp2_assignment_method 1
# wccp2_service standard 0
# wccp2_weight 10000
# wccp_address 0.0.0.0
# wccp2_address 0.0.0.0

# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
# error_directory /squid/share/errors/templates
email_err_data on

client_db on
coredump_dir /var/squid/cache

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.10 or 3.1.0.11

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux