Re: [squid-users] Re: TCp_HIT problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 26 Jul 2009 12:37:40 +1200

Farhad Ibragimov wrote:
> Hello Amos,
> Is this configuration is normally for large ISP provider ?

I'm not sure what you mean by "this config"? the one you posted, the
default you obviously altered to get it, or my recommended changes?

The default config is set to be secure, and help as many varied installs
as possible have a workable experience.

The security bits I mention first apply to everybody using 3.0, and
second applies to everybody. The http_access comment is particular to
your displayed config.

The traffic comment may not apply as Adrian pointed out. Only testing
your own traffic will show whats happens on your network.

You wanted HITS though, which means you are after those many small
requests, not the few large ones. (one 1MB file will cause MISS on 1000
x 1KB files shoved out of cache to store the big one) It's a trade off,
the only way to increase both is to raise RAM and disk available. And
that has limits too.

>
> Saturday, July 25, 2009, 6:12:40 AM, you wrote:
>
>> Farhad Ibragimov wrote:
>>> Hello Squid-users,
>>>
>>> Dear Squid Guru
>>>
>>> I am install new squid 3 days ago . The version is 3.0 15 . The
>>> problem is that i don't see TCP_HIT (only TCP_MISS) in access log file .
>>> Configuration file is attached . Please help
>>>
>>>
>>>
>>> # WELCOME TO SQUID 3.0.STABLE15
>>> # ----------------------------
>>> http_port 3128 transparent
>>> cache_mem 1024 MB
>>> minimum_object_size 2048 KB
>
>> ?? looks like your problem. Most of the web traffic you will ever see is
>> under 2 MB big.
>> Average size is somewhere between 32KB and 128KB depending on your clients.
>
>> ... more point to follow....
>
>>> icp_port 0
>>> wccp2_router 85.132.32.20
>>> visible_hostname "url..."
>>> url_rewrite_children 20
>>> cache_dir ufs /cache 6000 16 256
>>> cache_swap_low 90
>>> cache_swap_high 95
>>> allow_underscore on
>>> request_header_max_size 128 KB
>
>> Please do NOT raise this above 64KB in Squid 3.0!
>> There are a very large number of remote DDoS vulnerabilities that opens
>> up. The default for each squid version is kept at the largest safe value
>> we can be sure of.
>
>
>>> client_persistent_connections on
>>> server_persistent_connections on
>>> maximum_object_size_in_memory 50 KB
>>> cache_replacement_policy heap LFUDA
>>> maximum_object_size 50 MB
>>> ######LOG################
>>> access_log /var/squid/logs/access.log squid
>>> cache_log /var/squid/logs/cache.log
>>> cache_store_log /var/squid/logs/store.log
>>> ###############################
>>> cache_mgr "mail address"
>>> httpd_suppress_version_string on
>>> # SNMP OPTIONS
>>> # -----------------------------------------------------------------------------
>>> #snmp_port 1161
>>> #snmp_access allow snmppublic localhost
>>> #snmp_access deny all
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> ###############################################################
>>> acl dayaz dstdomain .day.az
>>> always_direct allow dayaz
>>> ###############################################################
>>> refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
>>> refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
>>>
>>> #refresh_pattern ^ftp: 1440 20% 10080
>>> #refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern (cgi-bin|\?) 0 0% 0
>>> #refresh_pattern . 0 20% 4320
>
>> Please do not alter the four above. They ensure that your cache is not
>> vulnerable to cache poisoning attacks or committing them against other
>> caches.
>
>>> # ACCESS CONTROLS
>>> ##############################################################
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>>
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt to list your (internal) IP networks from where browsing
>>> # should be allowed
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> #
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> # TAG: http_access
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> #http_access allow localnet
>
>> Something has gone wrong. The above line commented out prevents local
>> networks from being serviced by this Squid.
>> I would expect this config to show constant TCP_MISS:DENIED in access.log.
>
>>> http_access deny all
>>>
>>> icp_access deny all
>>> htcp_access deny all
>>>
>>> hierarchy_stoplist cgi-bin ?
>>>
>>> # TAG: debug_options
>>> # Logging options are set as section,level where each source file
>>> # is assigned a unique section. Lower levels result in less
>>> # output, Full debugging (level 9) can result in a very large
>>> # log file, so be careful. The magic word "ALL" sets debugging
>>> # levels for all sections. We recommend normally running with
>>> # "ALL,1".
>>> #
>>> #Default:
>>> # debug_options ALL,1
>>>
>>> icp_port 0
>>> htcp_port 0
>>> log_icp_queries off
>>>
>>> allow_underscore on
>>>
>>> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
>>> #wccp_version 4
>>> # wccp2_rebuild_wait on
>>> # wccp2_forwarding_method 1
>>> # wccp2_return_method 1
>>> # wccp2_assignment_method 1
>>> # wccp2_service standard 0
>>> # wccp2_weight 10000
>>> # wccp_address 0.0.0.0
>>> # wccp2_address 0.0.0.0
>>>
>>> # ERROR PAGE OPTIONS
>>> # -----------------------------------------------------------------------------
>>> # error_directory /squid/share/errors/templates
>>> email_err_data on
>>>
>>> client_db on
>>> coredump_dir /var/squid/cache
>
>> Amos
>
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Sun Jul 26 2009 - 00:37:56 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 26 2009 - 12:00:04 MDT