On 18/07/2013 4:36 a.m., jc.yin wrote:
Umm here's what I got after I ran the command
Okay, something to tune up ...
You may find it easier to work with if you remove the documentation
comments out of the squid.conf file permanently and use just a few
comments noting to yourself what the bits you are using are doing.
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 198.211.119.7
This definition of what the machine LAN IP range is differs from
everything you have been demonstrating via the other tests we had you do
in the other threads.
If this is the same "reverse-proxy" you were talkign about the last few
days that should be:
acl localnet src 192.168.1.0/24
acl localnet src fe80::/16
matching the IP ranges shown by ifconfig (or better the "ip addr"
command) for the proxy box.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow
Above line is useless. As mentioned in that WARNING by Squid it does
nothing and gets ignored completely. Remove it.
http_access allow manager localhost
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
The defaut "http_access allow localnet" is missing here.
http_access allow all
miss_access allow all
Is this the reverse-proy box we have been discussing in the other
threads? or a completely separate one?
I see no reverse-proxy config lines in this config file at all. The
above lines just make your proxy into an "open proxy" and easily abused
by anyone on the Internet who can reach it (and you published the public
IP address earlier).
http_port 3128 ignore-cc
"ignore-cc" is only safe on a reverse-proxy box. On any other traffic it
ignores the revalidation and staleness requirements indicated by the
client and sends the cached copy regardless of any bad effects on UX.
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
You are using the "." pattern here. This matches all traffic which tests
refresh_pattern. None of the refresh_pattern rules below will have any
effect.
This is lucky because you have "ignore-cc" on the port and if those
overrides like "ignore-private" on the below patterns had bee working
your users UX could have been completely screwed up with people
receiving others private response objects and refresh button in browsers
completely unable to fix the UX problems.
cache_mem 512 MB
cache_dir ufs /var/spool/squid3 15000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire
ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
10080 90% 43200 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
cache_effective_user proxy
cache_effective_group proxy
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-only-caches-a-few-images-and-TCP-Miss-everything-else-tp4661043p4661152.html
Sent from the Squid - Users mailing list archive at Nabble.com.
