On 12/02/11 10:47, justin hyland wrote:
Im trying to get multiple squid servers to act as front-end web
servers for my main central apache web server, here is my setup so
far...
So far you have an unrestricted "open proxy". Not good. See below for fixes.
I have changed the IP of the apache server that this sends traffic to,
to 123.123.123.123, fyi
Code:
# egrep -v "^#" squid.conf | sed -e '/^$/d'
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
Add:
acl to_localhost dst 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
NP: Missing reverse proxy ACL and http_access rules indicating what
websites you are hosting.
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
Note the http_access rules and the extra-special mention that the
reverse-proxy stuff needs to be first in the config file before any of
these forward-proxy restrictions. Order is important.
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
After placing the right accelerator http_access rules up above, this
"allow all" can be set back to the safe "deny all".
icp_access allow all
http_port 80 accel defaultsite=123.123.123.123 vhost
cache_peer 123.123.123.123 parent 80 0 no-query originserver name=myAccel
cache_peer_access myAccel allow all
hierarchy_stoplist cgi-bin ?
Drop this hierarchy_stoplist for reverse proxies.
cache_dir ufs /var/spool/squid 2000 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
If you have 2.7 this QUERY stuff can be dropped.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
Add right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
always_direct allow all
"always_direct allow all" overrides the one piece of security preventing
your Squid from being an open-proxy. Set the http_access correctly and
remove this or set it back to "always_direct deny all".
coredump_dir /var/spool/squid
This works wonders.. for about 4 minutes. then the requests go from
half a second per a page load, to 5 to 10, then 30 or 40 seconds..,
then it wont even process, the tail -f access_logs shows that its not
even hitting apache any longer on the central server, so its like
squid freezes up, any idea???
One of the main purposes of a reverse-proxy is to reduce load in the
backend, serving pages from the proxy cache instead. When this is
working the central Apache will not see many hits. Somewhere between 80%
and 100% of all traffic will "disappear" from the Apache log.
Look to the Squid access.log for a full record of actual visitors and
service times.
I have turned off the firewall on the squid server as well as the
central apache server, and still doesn't help much. I read through
http://squidproxy.wordpress.com/2007...s-are-hanging/ and did all of
it, with no avail.
P.S. I doubt this is a connection issue between the servers, as the
website WITH squid loads just as fast as apache for a few minutes,
then slowly goes to a hault
With Squid-2 you will need to add this to your configuration file:
never_direct 0 seconds
If the problem persists after all the above changes are made then
debugging why will start to be useful.
Luis mentioned the -X -N command line options that will produce a
full debug output to the terminal/screen stdout.
Alternatively just -X will leave that same trace in Squids cache.log
for later analysis. Just watch the available disk space when doing this way.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.4
