Hi, Amos
Thanks a lot for your reply. In my conf, squid is not only a reverse-proxy server, but also a cache server. And that is important to me. In fact , it does't normally for my product environment. 10.112.4.54 is the apache server(been agent by squid) , and my request is also sent by it(such as browser request and mimetic of httpclient request by java). 10.113.10.191 is the peer squid server, And is closed now. 10.113.10.190, as you see, is the
current reverse-proxy server.
Whole proceess like this:
10.112.4.54(browser) send request 10.113.10.190 if not cached, forward the requset to apache server 10.112.4.54(apache server) return the response page to browser 10.112.4.54(browser)
if cached, return the page 10.112.4.54(browser)
> below is my squid.conf
> acl gsrc src 10.112.4.54 10.113.10.191
> acl gdst dst 10.112.4.54 10.113.10.191
> http_access allow gsrc
> http_access allow gdst
>>What is the above supposed to mean?
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
>
> acl purge method PURGE
> acl clientServers src 10.112.4.54
> http_access allow purge clientServers
> http_access deny purge
>
> acl gat method GET
> acl clientS src 10.112.4.54 10.113.10.190
> http_access allow gat clientS
> #http_access deny gat
>>The localnet ACL defines 10.*/8 as allowed and your rules below specify
>>that all localnet traffic is allowed.
>>
>>So the above four lines of config seem pointless.
>>
>>You have configured the machines 10.112.4.54 and 10.113.10.190 as your
>>cache_peer servers. So why are they listed as "src" ?
>>
>>In a reverse-proxy "src" is the IP of a client requesting a URL.
>>
>>"dst" is the destination server - as determined by DNS records for the
>>URL domain being fetched. In a reverse-proxy those DNS records should
>>hold the proxies own IP address. So dst-IP is rarely ever useful and are
>>downright dangerous to make use of in the reverse-proxy.
ICP requset cannot sent to peer server at first. So I add it to try to solve it .
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 3130 # icp
> acl Safe_ports port 3128
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
> http_access deny manager
>
As the default config file says:
"
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
"
thanks a lot, I'll delete the needless port info.
> http_access allow localnet
> http_access allow localhost
>
> http_port 80 accel defaultsite=youlun.lvmama.com no-vhost
>
> cache_dir aufs /var/spool/squid 8198 16 256
> cache_mem 5120 MB
> cache_swap_low 90
> cache_swap_high 95
> cache_mgr zhongzhe@xxxxxxxxxx
>
> visible_hostname cache190
>
So the domain name Squid announces to your clients is "cache190" as in
http://cache190/ship_front/youlun/1012487.
I think my domain name is youlun.lvmama.com. cache190 is just a individual name to distinguish with squid server 10.113.10.191.
> coredump_dir /var/spool/squid
>
> via off
At least while debugging peering issues set "via on". Only turn it off
if you really have to and *after* you have a fully working proxy hierarchy.
agree with your.
> maximum_object_size 500 KB
>
> icp_port 3130
> icp_access allow all
> icp_query_timeout 2000
>
> cache_peer 10.112.4.54 parent 8090 0 no-query originserver name=youlun
> acl mysites dstdomain youlun.lvmama.com
> http_access allow mysites
> cache_peer_access youlun allow all
> cache_peer_access youlun deny all
The default for cache_peer_access is to allow. No need to specify that
"allow all". What you need to do to allow everything to reach that peer
server is *not* specify "deny all".
Though the normal thing is to use an ACL (eg your "mysites" one) to
allow the domains an origin server is known to supply and to deny other
things. Since it is not even worth trying that peer for things it is not
known to be capable of serving.
So:
http_access allow mysites
cache_peer_access youlun allow mysites
cache_peer_access youlun deny all
Also be aware that all of this peer and http_access config needs to be
located up where it says " INSERT YOUR OWN RULE(S) HERE " etc.
Thanks , I had delete it.
>
> refresh_pattern -i .*/youlun/([0-9]+) 1440 100% 10080 ignore-no-store ignore-must-revalidate store-stale ignore-reload
>
Why? if your server is not producing correct cacheability headers then
everyone trying to use your site will be having problems. "Fixing" it
for only your proxy by ignoring required things is the worst possible
action to take.
Your proxy is a reverse-proxy (aka CDN), it advertises its Surrogate
abilities to the origin server so your proxy cache can be given custom
values different from the general public. If you need
I want to squid server response a cache page to the request if it's exit .
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_log /var/log/squid/cache.log
> cache_access_log /var/log/squid/access.log
The directive name is "access_log"
Changed.
> cache_store_log /var/log/squid/store.log
>
> log_icp_queries off
>
> http_access allow all
Do not do that "allow all".
Been deleted.
> http_access deny all
zhongzhe@xxxxxxxxxx
On 13/12/17 20:30, zhongzhe@xxxxxxxxxx wrote:> Hi, All> I used httpclient to imitate a request to squid , but the response> page had not stored by squid although response header is 200. I had> tried many times with three different pages . only one can be stored by> the squid cache. and the others must need to send requset by brower then> they were cached. I had checked the access.log , it show me like this.> 1513148548.653 9172 10.112.4.54 TCP_MISS_ABORTED/200 106197 GET http://youlun.lvmama.com/ship_front/youlun/1012487 - FIRSTUP_PARENT/10.112.4.54 text/html>> do you know what's wrong of my squid.conf ? need your help !\There seem to be many things. But none of them have much to do with teabove.What the above says is that a client at 10.112.4.54 requestedhttp://youlun.lvmama.com/ship_front/youlun/1012487 and disconnectedafter 9 seconds.The fact that ~100KB of traffic happened in that transaction impliesthat everything was going okay for a while at least. So there is novisible problem with Squid in that log entry. The ABORTED simply meansone of the endpoints (probably the client) decided to disconnect early.Back to your squid.conf;> below is my squid.conf> acl gsrc src 10.112.4.54 10.113.10.191> acl gdst dst 10.112.4.54 10.113.10.191> http_access allow gsrc> http_access allow gdstWhat is the above supposed to mean?>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network> acl localnet src fc00::/7 # RFC 4193 local private network range> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines>> acl purge method PURGE> acl clientServers src 10.112.4.54> http_access allow purge clientServers> http_access deny purge>> acl gat method GET> acl clientS src 10.112.4.54 10.113.10.190> http_access allow gat clientS> #http_access deny gatThe localnet ACL defines 10.*/8 as allowed and your rules below specifythat all localnet traffic is allowed.So the above four lines of config seem pointless.You have configured the machines 10.112.4.54 and 10.113.10.190 as yourcache_peer servers. So why are they listed as "src" ?In a reverse-proxy "src" is the IP of a client requesting a URL."dst" is the destination server - as determined by DNS records for theURL domain being fetched. In a reverse-proxy those DNS records shouldhold the proxies own IP address. So dst-IP is rarely ever useful and aredownright dangerous to make use of in the reverse-proxy.>> acl SSL_ports port 443> acl Safe_ports port 80 # http> acl Safe_ports port 21 # ftp> acl Safe_ports port 443 # https> acl Safe_ports port 70 # gopher> acl Safe_ports port 210 # wais> acl Safe_ports port 1025-65535 # unregistered ports> acl Safe_ports port 280 # http-mgmt> acl Safe_ports port 488 # gss-http> acl Safe_ports port 591 # filemaker> acl Safe_ports port 777 # multiling http> acl Safe_ports port 3130 # icp> acl Safe_ports port 3128> acl CONNECT method CONNECT>> http_access deny !Safe_ports>> http_access deny CONNECT !SSL_ports>> http_access allow localhost manager> http_access deny manager>As the default config file says:"## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#"> http_access allow localnet> http_access allow localhost>> http_port 80 accel defaultsite=youlun.lvmama.com no-vhost>> cache_dir aufs /var/spool/squid 8198 16 256> cache_mem 5120 MB> cache_swap_low 90> cache_swap_high 95> cache_mgr zhongzhe@xxxxxxxxxx>> visible_hostname cache190>So the domain name Squid announces to your clients is "cache190" as inhttp://cache190/ship_front/youlun/1012487.> coredump_dir /var/spool/squid>> via offAt least while debugging peering issues set "via on". Only turn it offif you really have to and *after* you have a fully working proxy hierarchy.> maximum_object_size 500 KB>> icp_port 3130> icp_access allow all> icp_query_timeout 2000>> cache_peer 10.112.4.54 parent 8090 0 no-query originserver name=youlun> acl mysites dstdomain youlun.lvmama.com> http_access allow mysites> cache_peer_access youlun allow all> cache_peer_access youlun deny allThe default for cache_peer_access is to allow. No need to specify that"allow all". What you need to do to allow everything to reach that peerserver is *not* specify "deny all".Though the normal thing is to use an ACL (eg your "mysites" one) toallow the domains an origin server is known to supply and to deny otherthings. Since it is not even worth trying that peer for things it is notknown to be capable of serving.So:http_access allow mysitescache_peer_access youlun allow mysitescache_peer_access youlun deny allAlso be aware that all of this peer and http_access config needs to belocated up where it says " INSERT YOUR OWN RULE(S) HERE " etc.>> refresh_pattern -i .*/youlun/([0-9]+) 1440 100% 10080 ignore-no-store ignore-must-revalidate store-stale ignore-reload>Why? if your server is not producing correct cacheability headers theneveryone trying to use your site will be having problems. "Fixing" itfor only your proxy by ignoring required things is the worst possibleaction to take.Your proxy is a reverse-proxy (aka CDN), it advertises its Surrogateabilities to the origin server so your proxy cache can be given customvalues different from the general public. If you need> refresh_pattern ^ftp: 1440 20% 10080> refresh_pattern ^gopher: 1440 0% 1440> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0> refresh_pattern . 0 20% 4320>> cache_log /var/log/squid/cache.log> cache_access_log /var/log/squid/access.logThe directive name is "access_log"> cache_store_log /var/log/squid/store.log>> log_icp_queries off>> http_access allow allDo not do that "allow all".> http_access deny all>Amos_______________________________________________squid-users mailing listsquid-users@xxxxxxxxxxxxxxxxxxxxxhttp://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
