Re: [squid-users] Re: TCp_HIT problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 25 Jul 2009 13:12:40 +1200

Farhad Ibragimov wrote:
> Hello Squid-users,
>
> Dear Squid Guru
>
> I am install new squid 3 days ago . The version is 3.0 15 . The
> problem is that i don't see TCP_HIT (only TCP_MISS) in access log file .
> Configuration file is attached . Please help
>
>
>
> # WELCOME TO SQUID 3.0.STABLE15
> # ----------------------------
> http_port 3128 transparent
> cache_mem 1024 MB
> minimum_object_size 2048 KB

?? looks like your problem. Most of the web traffic you will ever see is
under 2 MB big.
Average size is somewhere between 32KB and 128KB depending on your clients.

... more point to follow....

> icp_port 0
> wccp2_router 85.132.32.20
> visible_hostname "url..."
> url_rewrite_children 20
> cache_dir ufs /cache 6000 16 256
> cache_swap_low 90
> cache_swap_high 95
> allow_underscore on
> request_header_max_size 128 KB

Please do NOT raise this above 64KB in Squid 3.0!
There are a very large number of remote DDoS vulnerabilities that opens
up. The default for each squid version is kept at the largest safe value
we can be sure of.

> client_persistent_connections on
> server_persistent_connections on
> maximum_object_size_in_memory 50 KB
> cache_replacement_policy heap LFUDA
> maximum_object_size 50 MB
> ######LOG################
> access_log /var/squid/logs/access.log squid
> cache_log /var/squid/logs/cache.log
> cache_store_log /var/squid/logs/store.log
> ###############################
> cache_mgr "mail address"
> httpd_suppress_version_string on
> # SNMP OPTIONS
> # -----------------------------------------------------------------------------
> #snmp_port 1161
> #snmp_access allow snmppublic localhost
> #snmp_access deny all
> cache_effective_user squid
> cache_effective_group squid
> ###############################################################
> acl dayaz dstdomain .day.az
> always_direct allow dayaz
> ###############################################################
> refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
>
> #refresh_pattern ^ftp: 1440 20% 10080
> #refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> #refresh_pattern . 0 20% 4320

Please do not alter the four above. They ensure that your cache is not
vulnerable to cache poisoning attacks or committing them against other
caches.

>
> # ACCESS CONTROLS
> ##############################################################
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # TAG: http_access
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access allow localnet

Something has gone wrong. The above line commented out prevents local
networks from being serviced by this Squid.
I would expect this config to show constant TCP_MISS:DENIED in access.log.

>
> http_access deny all
>
> icp_access deny all
> htcp_access deny all
>
> hierarchy_stoplist cgi-bin ?
>
> # TAG: debug_options
> # Logging options are set as section,level where each source file
> # is assigned a unique section. Lower levels result in less
> # output, Full debugging (level 9) can result in a very large
> # log file, so be careful. The magic word "ALL" sets debugging
> # levels for all sections. We recommend normally running with
> # "ALL,1".
> #
> #Default:
> # debug_options ALL,1
>
> icp_port 0
> htcp_port 0
> log_icp_queries off
>
> allow_underscore on
>
> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
> #wccp_version 4
> # wccp2_rebuild_wait on
> # wccp2_forwarding_method 1
> # wccp2_return_method 1
> # wccp2_assignment_method 1
> # wccp2_service standard 0
> # wccp2_weight 10000
> # wccp_address 0.0.0.0
> # wccp2_address 0.0.0.0
>
> # ERROR PAGE OPTIONS
> # -----------------------------------------------------------------------------
> # error_directory /squid/share/errors/templates
> email_err_data on
>
> client_db on
> coredump_dir /var/squid/cache

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Sat Jul 25 2009 - 01:12:52 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 28 2009 - 12:00:05 MDT