On 21/03/11 21:44, Morgan Storey wrote:
Hi Everyone,
Setting up a reverse caching proxy with Squid on windows 2003
(unfortunately) in a lab for a proof of concept. Using 2.7.STABLE8.
Never done this on windows so be kind.
Should be identical to the non-windows variety from the Squid
configuration viewpoint.
The reverse proxy works to any of the sites on the webserver, but if I
turn off the webserver and attempt to get to the sites via the proxy's
cache it times out (to test a failure of the webserver).
I have a separate Squid reverse proxy and a separate IIS6 web server
running an application called Umbraco.
I have done a fair bit of googling but can't find the answer, I mainly
have used the guides below as well as a bit from the squid
documentation.
http://ashleyangell.com/2009/03/configuring-a-basic-reverse-proxy-in-squid-on-windows-website-accelerator/
http://www.mnot.net/blog/2007/12/12/stale
http://www.howtoforge.com/how-to-set-up-a-caching-reverse-proxy-with-squid-2.6-on-debian-etch
Here are the two squid.conf's I have tried (mashed together from my
meagre knowledge and the above): http://pastebin.com/L9EjafJW
http://pastebin.com/QS6kxUwN
Mark (mnot) has some great stuff on cache controls.
I have also played with the cache control setting in IIS, but it
doesn't appear right (two Cache-control entries?), I get the below if
A bit weird, but perfectly valid. They combine together with the later
one overriding the former if there are any setting double-ups.
I wget the index on the webserver
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: public, max-age=5,stale-while-revalidate=600,
stale-if-error=36000
Set-Cookie: ASP.NET_SessionId=fdlkjayuf98dsfgnkjdsl7; path=/; HttpOnly
Cache-Control: private
In this case the "private" indicates that the object "MUST NOT" under be
shared to other visitors. So Squid will not store it for use by other
visitors when the server is down.
It comes later so I believe it overrides the initial "public" flag.
stale-while-revalidate and stale-if-error interact in strange ways I
have not quite got my head around properly yet. But I believe those
should have at least 10 minutes of cache HIT during downtime whatever
happens after that.
Some notes on those configs:
(squid1)
* You can deny CONNECT entirely. It should never happen to a
reverse-proxy. They get native HTTPS connections to their https_port.
* Your reverse-proxy settings, for cache_peer and the related
http_access rule MUST be above the default forward-proxy rules. Since
this appears to be a pure reverse-proxy you can drop the default config
file http_access lines entirely.
NP: do that and I believe your Squid will stop needing to wait for
DNS. It only uses it now to check the localnet ACL :)
* header_access is not a very safe thing to do for Squid-2. It affects
both the client request headers passed to your main server AND the reply
headers destined for the visitor.
refresh_pattern flag "reload-into-ims" is much safer and helps avoid
the forced reload clients sometimes send.
(squid2)
* you are missing the http_access reverse-proxy settings. squid1 was
better.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
