On 10/11/10 17:54, Chris Toft wrote:
And in the cache.log......
2010/11/10 15:50:28| temporary disabling (Forbidden) digest from 172.xx.xx.xx
-----Original Message-----
From: Chris Toft [mailto:ctoft@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, 10 November 2010 1:51 PM
To: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx
Subject: RE: Multisite ICP peering
Hi Amos (or anyone else)
From the configs shown, what do I need to do to allow the store_digest access.....
TCP_DENIED/403 1504 GET internal://mywebsite.com/squid-internal-periodic/store_digest - NONE/- text/html
Thanks
IIRC these are caught by the "manager" ACL. So the sibling or parents
(whichever you want to allow access) may need adding to the ACL set for
manager access.
Amos
-----Original Message-----
From: Chris Toft [mailto:ctoft@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, 10 November 2010 12:39 PM
To: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx
Subject: RE: Multisite ICP peering
OK here are my configs for anyone interested.
Just to explain.
Primary site:
Web -> Squid primary caches -> Check all Squid siblings (primary site only) -> Primary Webservers
Secondary site:
Web -> squid dr caches -> Check all Squid siblings (both sites as this site is only a warm cache) -> dr webservers
Hardware: IBM x3650 M2
74gb memory
10 x 50gb SSD drives (one for each of /var/spool/squid0 to squid9)
So any request that hits primary checks the 3 local squid caches and then the origin servers
Any request that hits secondary check both secondary servers, then the 3 primary squid cache (dark fibre DC links) and then the DR origin servers.
Been nailing these boxes all morning with httperf log replays. Initally I got a lot of misses but now I am getting around 75-85% hit ratio based on last weeks apache logs.
Here are my configs:
This is the initial configuration that successfully fulfilled all criteria. The secondary site section is substituted out for the DR site.
============
PRIMARY SITE
============
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 172.x.0.0/12 # RFC1918 possible internal network
acl admins src 172.x.x.x
acl admins src 172.x.x.x
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager admins
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
acl allowed_sites dstdomain "/etc/squid/allowed_sites.conf"
http_access allow allowed_sites
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 80 accel vhost defaultsite=mywebsite.com
cache_peer 172.x.x.245 parent 80 0 no-query originserver round-robin name=webserver011 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest
cache_peer 172.x.x.247 parent 80 0 no-query originserver round-robin name=webserver021 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest
cache_peer 172.x.x.248 parent 80 0 no-query originserver round-robin name=webserver031 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest
cache_peer 172.x.x.249 parent 80 0 no-query originserver round-robin name=webserver041 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest
cache_peer 172.x.x.238 sibling 80 3130 name=pri-squid011 connect-timeout=5 multicast-siblings
cache_peer 172.x.x.188 sibling 80 3130 name=pri-squid021 connect-timeout=5 multicast-siblings
cache_peer 172.x.x.205 sibling 80 3130 name=pri-squid031 connect-timeout=5 multicast-siblings
cache_peer 239.128.0.112 multicast 80 3130 ttl=16
cache_peer_access webserver011 allow allowed_sites
cache_peer_access webserver021 allow allowed_sites
cache_peer_access webserver031 allow allowed_sites
cache_peer_access webserver041 allow allowed_sites
cache_peer_access pri-squid011 allow allowed_sites
cache_peer_access pri-squid021 allow allowed_sites
cache_peer_access pri-squid031 allow allowed_sites
hierarchy_stoplist cgi-bin
cache_mem 64 GB
maximum_object_size_in_memory 100 KB
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid0 36864 16 256
cache_dir aufs /var/spool/squid1 36864 16 256
cache_dir aufs /var/spool/squid2 36864 16 256
cache_dir aufs /var/spool/squid3 36864 16 256
cache_dir aufs /var/spool/squid4 36864 16 256
cache_dir aufs /var/spool/squid5 36864 16 256
cache_dir aufs /var/spool/squid6 36864 16 256
cache_dir aufs /var/spool/squid7 36864 16 256
cache_dir aufs /var/spool/squid8 36864 16 256
cache_dir aufs /var/spool/squid9 36864 16 256
maximum_object_size 50 MB
cache_swap_low 90
cache_swap_high 95
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/squid.log combined all
access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid
strip_query_terms off
buffered_logs on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
negative_ttl 0 minutes
positive_dns_ttl 5 minutes
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding on
refresh_stale_hit 10 seconds
read_timeout 1 minute
request_timeout 1 minute
half_closed_clients off
shutdown_lifetime 5 seconds
cache_mgr unix@xxxxxxxxxxxxx
httpd_suppress_version_string on
icp_port 3130
log_icp_queries on
icp_hit_stale on
mcast_groups 239.128.0.112
max_filedescriptors 16384
hosts_file /etc/hosts
memory_pools off
forwarded_for on
client_db off
coredump_dir /var/spool/squid
==============
SECONDARY SITE
==============
This section of the configuration is substantially different to the primary site as the squid caches will reference all siblings across both sites before going to the secondary site backend webservers.
cache_peer 172.x.1.166 parent 80 0 no-query originserver round-robin name=dr-webserver011 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest default
cache_peer 172.x.1.167 parent 80 0 no-query originserver round-robin name=dr-webserver021 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest default
cache_peer 172.x.1.168 parent 80 0 no-query originserver round-robin name=dr-webserver031 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest default
cache_peer 172.x.1.169 parent 80 0 no-query originserver round-robin name=dr-webserver041 monitorurl=http://mywebsite.com/img/noPhoto.gif monitortimeout=10 connect-timeout=5 monitorinterval=5 no-digest default
cache_peer 172.26.22.152 multicast 80 3130 name=dr-squid011 connect-timeout=5 multicast-siblings
cache_peer 172.26.22.153 multicast 80 3130 name=dr-squid021 connect-timeout=5 multicast-siblings
cache_peer 172.26.26.238 multicast 80 3130 name=pri-squid011 connect-timeout=5 multicast-siblings
cache_peer 172.26.26.188 multicast 80 3130 name=pri-squid021 connect-timeout=5 multicast-siblings
cache_peer 172.26.26.205 multicast 80 3130 name=pri-squid031 connect-timeout=5 multicast-siblings
cache_peer 239.128.0.112 multicast 80 3130 ttl=16
cache_peer_access dr-squid011 allow allowed_sites
cache_peer_access dr-squid021 allow allowed_sites
cache_peer_access pri-squid011 allow allowed_sites
cache_peer_access pri-squid021 allow allowed_sites
cache_peer_access pri-squid031 allow allowed_sites
cache_peer_access dr-webserver011 allow allowed_sites
cache_peer_access dr-webserver021 allow allowed_sites
cache_peer_access dr-webserver031 allow allowed_sites
cache_peer_access dr-webserver041 allow allowed_sites
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Tuesday, 9 November 2010 5:35 PM
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Multisite ICP peering
On 03/11/10 21:53, Chris Toft wrote:
Thanks for the reply, I actually fixed it. Removed the multicast-responder option and just left multicast-sibling.
Man this thing flies on 5 boxes with 64gb memory and 10x 50gb solid state drives for the cache :-)
I will post working config tomorrow for anyone interested.
Interested :) please post.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3