Search squid archive

Re: Squid Cache - hangs after a few minutes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/02/11 10:47, justin hyland wrote:
Im trying to get multiple squid servers to act as front-end web
servers for my main central apache web server, here is my setup so
far...

So far you have an unrestricted "open proxy". Not good. See below for fixes.


I have changed the IP of the apache server that this sends traffic to,
to 123.123.123.123, fyi
Code:

# egrep -v "^#" squid.conf | sed -e '/^$/d'
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

Add:
  acl to_localhost dst 0.0.0.0/32

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

NP: Missing reverse proxy ACL and http_access rules indicating what websites you are hosting.

http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

Note the http_access rules and the extra-special mention that the reverse-proxy stuff needs to be first in the config file before any of these forward-proxy restrictions. Order is important.

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

After placing the right accelerator http_access rules up above, this "allow all" can be set back to the safe "deny all".


icp_access allow all
http_port 80 accel defaultsite=123.123.123.123 vhost
cache_peer 123.123.123.123 parent 80 0 no-query originserver name=myAccel
cache_peer_access myAccel allow all
hierarchy_stoplist cgi-bin ?

Drop this hierarchy_stoplist for reverse proxies.

cache_dir ufs /var/spool/squid 2000 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

If you have 2.7 this QUERY stuff can be dropped.

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440

Add right here:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
always_direct allow all

"always_direct allow all" overrides the one piece of security preventing your Squid from being an open-proxy. Set the http_access correctly and remove this or set it back to "always_direct deny all".

coredump_dir /var/spool/squid

This works wonders.. for about 4 minutes. then the requests go from
half a second per a page load, to 5 to 10, then 30 or 40 seconds..,
then it wont even process, the tail -f access_logs shows that its not
even hitting apache any longer on the central server, so its like
squid freezes up, any idea???

One of the main purposes of a reverse-proxy is to reduce load in the backend, serving pages from the proxy cache instead. When this is working the central Apache will not see many hits. Somewhere between 80% and 100% of all traffic will "disappear" from the Apache log.

Look to the Squid access.log for a full record of actual visitors and service times.


I have turned off the firewall on the squid server as well as the
central apache server, and still doesn't help much. I read through
http://squidproxy.wordpress.com/2007...s-are-hanging/ and did all of
it, with no avail.

P.S. I doubt this is a connection issue between the servers, as the
website WITH squid loads just as fast as apache for a few minutes,
then slowly goes to a hault

With Squid-2 you will need to add this to your configuration file:
  never_direct 0 seconds


If the problem persists after all the above changes are made then debugging why will start to be useful.

Luis mentioned the -X -N command line options that will produce a full debug output to the terminal/screen stdout. Alternatively just -X will leave that same trace in Squids cache.log for later analysis. Just watch the available disk space when doing this way.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.4


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux