Search squid archive

Re: [squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)‏

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jenny Lee wrote:
Um, sounds like you might have a few legacy setting issues.
Mail me a copy of your config if you would like a free audit.

Amos, thank you so much for your help and offer, my config is working as expected now. It is not necessary to waste more of your time. That 'all' made _ALL_ the difference!
I put a reminder to myself, I will donate within next few months. I am using squid close to 15 years now! Henrik and I grew old on squid :) (Bless him, he helped way too much back in days). Even though I always wanted to contribute, I never got around to it. This was a good opportunity. I spent a week debugging 3.1 configs. I especially had serious problems with proxy_auth accesses, returning proper error pages, cache_peer selections and always_direct. Nothing worked the way it should have. 'all' instead of '0.0.0.0/0' fixed it all for me. I also realized that I had '0.0.0.0/0.0.0.0' with some acls, and '0.0.0.0/0' with some others.
What exactly has changed from '0.0.0.0/0.0.0.0' or older '0.0.0.0/0',
'0/0' to 'all'?

Thank you!

Jen


PS: I have ipv6 stack removed from RedHat kernel and squid built with no
ipv6.
Strangely the only difference between them is when squid is built with
IPv6 support.

'0.0.0.0/0.0.0.0' becomes a weird 'odd' bitmask of ::ffff:0:0 in IPv6.
Which maps non-reversibly to a /0 CIDR (aka the bitmask of ::)

'0.0.0.0/0' maps to ::/0, which is at least usable. But is noisy on
startup warnings because the /0 removes the four ::ffff* bits of the
0.0.0.0 IP's v4-mapping bitmask.

'all' is hard-coded to match /0 (always true).

'0/0' causes a DNS lookup to find the hostname '0' (zero).
That may result in a routable IP address if 0.example.com has rDNS.
Before the /0 arrives and saves the day by wiping the address bitmask away.
*** Unfortunately that only save the day in IPv4. In IPv6 it wipes the
bitmask down to a /96 CIDR and leaves the first 96 bits of the old IP being
used to match (or mostly fail rather) and many of the default squid
settings suddenly becomes 'allow' in IPv6.

Thanks for making me think about this. It's reminded me I have to add
extra checking and warnings for those values in 3.1.

Amos

Thank you for thorough explanation. I have squid compiled with: --enable-delay-pools \
--enable-poll \

If possible I'd suggest going for epoll or kqueue instead. Much faster socket handling.

--enable-auth=basic \
--enable-basic-auth-helpers=NCSA \
--disable-carp \
--disable-wccp \
--disable-wccp2 \
--disable-snmp \
--disable-htcp \
--disable-ident-lookups \
--disable-unlinkd \
--disable-translation \
--disable-auto-locale \

*-auto-locale you may want to keep. It presents the error pages in visitor-readable language texts. The /etc/squid/errorpages.css adds display branding control.

*-translation only affects build-time and creates the pages to be presented by *-auto-locale. The langpack bundles we provide are an alternative pre-built set of the latest page translations to drop in on existing Squid without a rebuild or even restart. But requires auto-locale to be really useful.

--disable-loadable-modules \
--disable-ipv6 It mentioned 'no ipv6 support found' and complained about leftover ::1 in /etc/hosts upon start. Definitely no ipv6 in this machine. I have 2 questions though. I currently have 'cache deny all' in my setup, using proxy-only. What is the proper way to do ONLY ON-MEMORY caching, say with 4GB memory? Is using no cache/store directory directives sufficient?

In Squid 3.1 to enable caching, but limited to memory:

  remove all cache_dir entries from the config.

Thats it.

No more fiddling with the "null" disk stuff or hacks around hidden disk defaults.

As you noticed the "cache ..." entries make Squid proxy-only. They need to permit storage (ie defaults) for memory-only caching.


I also remember about a light squid project -- all caching code stripped from squid for proxy-only use. I couldn't find on the net. Anyone knows which project it is? Or if there would be any advantage to it where one does no caching?

Have not heard of that one. I'm interested though in anything related. One of my long-term wishlist is to build a configure option to minimize Squid footprint for low-spec builds.

3.1 with --disable-diskio might be usable to strip the disk caching code out.

Noting the way your options are tending toward minimal features you may or my not want to not ESI is also on by default now in 3.1.0.15

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux