On 5/12/2012 10:54 p.m., Le Trung, Kien wrote:
And finally, my squid-configure
#
# Recommended minimum configuration:
#
acl localhost src A.B.C.D/32
acl purgehost src A.B.C.D/32
acl to_localhost dst A.B.C.D/32
NP: 127.0.0.1 is not confidential information. Every machine on the
planet has one. If you are defining A.B.C.D to be something other than
127.0.0.1 then adding it to the "to_localhost" ACL is incorrect for what
the to_localhost ACL means - it is there to prevent client requests
looping via the 127.0.0.1 and 0.0.0.0 special "localhost" addresses.
BTW, you are not using to_localhost anyway.
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http
You list three ports here. But I only see one http_port line for port 82.
acl CONNECT method CONNECT
acl purge method PURGE
acl invalid_urls url_regex ^someregrex
acl valid_urls url_regex ^someregrex
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
#acl Redirection http_status 302
#cache allow Redirection
acl RedirectTC url_regex ^needredirect
http_access deny RedirectTC
deny_info ERR_REDIRECT_TC RedirectTC
client_persistent_connections on
connect_timeout 5 seconds
detect_broken_pconn on
accept_filter httpready
accept_filter data
negative_ttl 120 seconds
follow_x_forwarded_for allow localhost
http_access allow manager localhost
http_access allow purge purgehost
http_access allow purge localhost
You defined purgehost as being one of the entries of localhost. You can
remove the "allow purge purgehost" line entirely.
http_access deny manager
http_access deny purge
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
http_access deny invalid_urls
deny_info ERR_INVALID_URLS invalid_urls
http_access allow valid_urls
Certain requests have unlimited access, depending on a regex pattern
which you have removed. Unless they have matched either of two other
removed regex patterns. These would seem to be rather important details.
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access deny all
deny_info ERR_INVALID_URLS all
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Squid normally listens to port 3128
### One domain
cache_effective_user squid
http_port A.B.C.D:82 accel vhost ignore-cc
cache_peer A1.B1.C1.D1 parent 80 0 no-query originserver name=WEB1 max-conn=25
cache_peer_domain WEB1 domain1 domain2
cache_peer A2.B2.C2.D2 parent 80 0 no-query originserver name=WEB2
max-conn=20 round-robin
cache_peer A3.B3.C3.D3 parent 80 0 no-query originserver name=WEB3
max-conn=20 round-robin
cache_peer_domain WEB2 domain3 domain4
cache_peer_domain WEB3 domain4 domain4
acl web1 dstdomain domain1 domain2
acl web2 dstdomain domain3 domain4
acl web3 dstdomain domain4 domain4
cache_peer_access WEB1 allow web1
cache_peer_access WEB2 allow web2
cache_peer_access WEB3 allow web3
cache_peer_access web1 deny all
cache_peer_access web2 deny all
cache_peer_access web3 deny all
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
You already put "http_access deny all" above these lines. So these ones
will never be reached.
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
hierarchy_stoplist prevents requests matching the regex from reaching
your cache_peers. I think you do not want to use it at all.
#hierarchy_stoplist \?
acl CacheType urlpath_regex \? \.css \.gif \.gif\? \.html \.html\?
\.ico \.jpeg \.jpeg\? \.jpg \.jpg\? \.js \.js\? \.php \.php\? \.png
\.png\? \.swf \.swf\? \-
#cache allow CacheType
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /opt/squid/var/cache 9216 16 256
# Leave coredumps in the first cache dir
coredump_dir /opt/squid/var/cache
cache_mem 9216 MB
maximum_object_size_in_memory 1024 KB
cache_swap_low 30
cache_swap_high 50
You have 9GB of disk cache and 9GB of memory cache. Whenever they fill
to 4.5GB of data Squid will schedule ~2GB of data to be purged.
You can achieve the equivalent by setting these to the defaults and
changing your cache size to 5GB instead of 9GB.
strip_query_terms off
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#access_log none
cache_store_log none
access_log stdio:/opt/squid/var/logs/access.log combined
cache_log /opt/squid/var/logs/cache.log
#cache_swap_log /var/log/squid/swap.state
#maximum_object_size 10 MB
#quick_abort_min 0 KB
#quick_abort_max 0 KB
#memory_replacement_policy lru
#cache_replacement_policy heap LFUDA
#store_dir_select_algorithm round-robin
#cache_dir null /tmp
# Add any of your own refresh_pattern entries above these.
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (^someregrex) ...
refresh_pattern -i (/cgi-bin/) 0 0% 0
refresh_pattern . 0 20% 4320
On Wed, Dec 5, 2012 at 3:52 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Hey Trung Kien,
We will need more data to try helping you with the problem.
If you can share the configure options of squid build and squid.conf it will
give us a good look on why it may could be happening.
If you can describe more about you infrastructure it will help.
Note that this is a public list so remove any identifying and confidential
data from squid.conf.
Best Regards,
Eliezer
On 12/5/2012 9:59 AM, Le Trung, Kien wrote:
Hi,
Today, I built version 3.1.22, then started squid with or without
accept_filter directive in squid's configuration file and in both case
I got NO 500 MISS in the access log.
Moreover, the speed when access new links faster (not cached) than
version 3.2.3.
Best Regards,
Trung Kien
--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech@xxxxxxxxxxxx
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il