Search squid archive

Re: How to use tcp_outgoing_address with cache_peer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Problem #1: Please upgrade your Squid.

Squid-2.6 has been 3 years since the last security update, nearly 5 years since your particular version was superceded.


On 24/04/2013 12:15 a.m., Alex Domoradov wrote:
Hello all, I encountered the problem with configuration 2 squids. I
have the following scheme -
http://i.piccy.info/i7/0ecd5cb8276b78975a791c0e5f55ae60/4-57-1543/57409208/squids_schema.jpg

Problem #2: Please read the section on how RAID0 interacts with Squid ... http://wiki.squid-cache.org/SquidFaq/RAID

Also, since youa re using SSD, see #1. The older Squid like 2.6 push *everything* through disk which reduces your SSD lifetime a lot. Please upgrade to a current release (3.2 or 3.3 today) which try to avoid disk a lot more in general and offer cache types like rock for even better I/O savings on small responses.

The main idea is to download all files from rackspace and amazon
through parent squid and store all files in his cache.

Sure. Nothing abnormal there.

On the main_squid server was configured PBR (iptables + ip route). All
packets go through the same channels through which the requests were
received

# ip ru sh
0:      from all lookup local
1000:   from all fwmark 0x3e8 lookup ISP1
2000:   from all fwmark 0x7d0 lookup ISP2
3011:   from all fwmark 0xbc3 lookup ISP3
32762:  from xxx.xxx.xxx.62 lookup ISP1
32763:  from yyy.yyy.yyy.239 lookup ISP2
32764:  from zzz.zzz.zzz.10 lookup ISP3
32766:  from all lookup main
32767:  from all lookup default

*** main_squid squid.conf ***
http_port 192.168.210.1:3128 transparent

cache_peer 192.168.220.2 sibling 3128 3130
dead_peer_timeout 5 seconds

acl AMAZON dstdom_regex -i (.*)s3\.amazonaws\.com
cache_peer_access 192.168.220.2 allow AMAZON

acl RACKSPACE dstdom_regex -i (.*)rackcdn\.com
cache_peer_access 192.168.220.2 allow RACKSPACE

FYI: these dstdom_regex look like they can be far more efficiently replaced by dstdomain ACLs and even combined into one ACL name.


url_rewrite_program /usr/bin/squidguard
url_rewrite_children 32

cache_dir null /tmp
cache_store_log none
cache deny all

acl local_net src 192.168.0.0/16
http_access allow local_net

*** parent_squid squid.conf ***

http_port 192.168.220.2:3128
acl main_squid src 192.168.220.1

http_access allow main_squid
http_access allow manager localhost
http_access allow manager main_squid

icp_access allow main_squid

cache_mem 30 GB
maximum_object_size_in_memory 128 MB
cache_dir aufs /squid 400000 16 256
minimum_object_size 16384 KB
maximum_object_size 1024 MB
cache_swap_low 93
cache_swap_high 98

The numbers here look a little strange. Why the high minimum object size?

acl PSD urlpath_regex -i \.psd$
cache allow PSD

acl ZIP urlpath_regex -i \.zip$
cache allow ZIP

acl OTHER url_regex -i ^http://*
cache deny OTHER

At the very least that OTHER definition can be replaced by the much faster:
 acl OTHER proto HTTP

However, the feeder mechanism to this hierarchy is NAT interception. Meaning *all* traffic is HTTP so you can instead use:
  cache_deny all


refresh_pattern \.psd$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache
refresh_pattern \.zip$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache

All work fine, until I uncomment on main_squid the following line

tcp_outgoing_address yyy.yyy.yyy.239

When I try to download any zip file from amazon I see the following
message in cache.log

2013/04/22 01:00:41| TCP connection to 192.168.220.2/3128 failed

If I run tcpdump on yyy.yyy.yyy.239 I see that main_squid trying to
connect to parent via external interface without success.

So my question. How may I configure main_squid that it could connect
to the parent even with configured
tcp_outgoing_address option?

#3 The failure is in TCP. Probably your firewall settings forbidding yyy.yyy.yyy.239 from talking to 192.168.220.2.



P.S.
# squid -v
Squid Cache: Version 2.6.STABLE21
configure options:  '--host=x86_64-unknown-linux-gnu'
'--build=x86_64-unknown-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl'
'--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password'
'--with-winbind-auth-challenge' '--enable-useragent-log'
'--enable-referer-log' '--disable-dependency-tracking'
'--enable-cachemgr-hostname=localhost' '--enable-underscores'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-cache-digests' '--enable-ident-lookups'
'--enable-follow-x-forwarded-for' '--enable-wccpv2'
'--enable-fd-config' '--with-maxfd=16384'
'build_alias=x86_64-unknown-linux-gnu'
'host_alias=x86_64-unknown-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2
-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux