On 13/12/17 20:30, zhongzhe@xxxxxxxxxx wrote:
Hi, All
I used httpclient to imitate a request to squid , but the response
page had not stored by squid although response header is 200. I had
tried many times with three different pages . only one can be stored by
the squid cache. and the others must need to send requset by brower then
they were cached. I had checked the access.log , it show me like this.
1513148548.653 9172 10.112.4.54 TCP_MISS_ABORTED/200 106197 GET http://youlun.lvmama.com/ship_front/youlun/1012487 - FIRSTUP_PARENT/10.112.4.54 text/html
do you know what's wrong of my squid.conf ? need your help !\
There seem to be many things. But none of them have much to do with te
above.
What the above says is that a client at 10.112.4.54 requested
http://youlun.lvmama.com/ship_front/youlun/1012487 and disconnected
after 9 seconds.
The fact that ~100KB of traffic happened in that transaction implies
that everything was going okay for a while at least. So there is no
visible problem with Squid in that log entry. The ABORTED simply means
one of the endpoints (probably the client) decided to disconnect early.
Back to your squid.conf;
below is my squid.conf
acl gsrc src 10.112.4.54 10.113.10.191
acl gdst dst 10.112.4.54 10.113.10.191
http_access allow gsrc
http_access allow gdst
What is the above supposed to mean?
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl purge method PURGE
acl clientServers src 10.112.4.54
http_access allow purge clientServers
http_access deny purge
acl gat method GET
acl clientS src 10.112.4.54 10.113.10.190
http_access allow gat clientS
#http_access deny gat
The localnet ACL defines 10.*/8 as allowed and your rules below specify
that all localnet traffic is allowed.
So the above four lines of config seem pointless.
You have configured the machines 10.112.4.54 and 10.113.10.190 as your
cache_peer servers. So why are they listed as "src" ?
In a reverse-proxy "src" is the IP of a client requesting a URL.
"dst" is the destination server - as determined by DNS records for the
URL domain being fetched. In a reverse-proxy those DNS records should
hold the proxies own IP address. So dst-IP is rarely ever useful and are
downright dangerous to make use of in the reverse-proxy.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3130 # icp
acl Safe_ports port 3128
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
As the default config file says:
"
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
"
http_access allow localnet
http_access allow localhost
http_port 80 accel defaultsite=youlun.lvmama.com no-vhost
cache_dir aufs /var/spool/squid 8198 16 256
cache_mem 5120 MB
cache_swap_low 90
cache_swap_high 95
cache_mgr zhongzhe@xxxxxxxxxx
visible_hostname cache190
So the domain name Squid announces to your clients is "cache190" as in
http://cache190/ship_front/youlun/1012487.
coredump_dir /var/spool/squid
via off
At least while debugging peering issues set "via on". Only turn it off
if you really have to and *after* you have a fully working proxy hierarchy.
maximum_object_size 500 KB
icp_port 3130
icp_access allow all
icp_query_timeout 2000
cache_peer 10.112.4.54 parent 8090 0 no-query originserver name=youlun
acl mysites dstdomain youlun.lvmama.com
http_access allow mysites
cache_peer_access youlun allow all
cache_peer_access youlun deny all
The default for cache_peer_access is to allow. No need to specify that
"allow all". What you need to do to allow everything to reach that peer
server is *not* specify "deny all".
Though the normal thing is to use an ACL (eg your "mysites" one) to
allow the domains an origin server is known to supply and to deny other
things. Since it is not even worth trying that peer for things it is not
known to be capable of serving.
So:
http_access allow mysites
cache_peer_access youlun allow mysites
cache_peer_access youlun deny all
Also be aware that all of this peer and http_access config needs to be
located up where it says " INSERT YOUR OWN RULE(S) HERE " etc.
refresh_pattern -i .*/youlun/([0-9]+) 1440 100% 10080 ignore-no-store ignore-must-revalidate store-stale ignore-reload
Why? if your server is not producing correct cacheability headers then
everyone trying to use your site will be having problems. "Fixing" it
for only your proxy by ignoring required things is the worst possible
action to take.
Your proxy is a reverse-proxy (aka CDN), it advertises its Surrogate
abilities to the origin server so your proxy cache can be given custom
values different from the general public. If you need
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
The directive name is "access_log"
cache_store_log /var/log/squid/store.log
log_icp_queries off
http_access allow all
Do not do that "allow all".
http_access deny all
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
