On Tue, 29 Sep 2009 11:41:16 -0700 (PDT), ant2ne <tcygne_at_altonschools.org>
wrote:
> Thanks for all of the great replies. There is lots of information to
> digest.
> I appreciate all of the suggestions.
>
> But, Before I got any of these replies, I went ahead and made
modifications
> to my squid.conf to match an example I found on the internet here is my
> current running squid.conf
>
> http_port 3128
> icp_port 0
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_mem 16 MB
> cache_dir ufs /cache 500000 256 256
> redirect_rewrites_host_header off
> cache_replacement_policy lru
> acl localnet src 10.60.0.0/255.255.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl Safe_ports port 80 443 210 119 70 21 1025-65535
> acl CONNECT method CONNECT
> acl all src 0.0.0.0/0.0.0.0
> http_access allow localnet
> http_access allow localhost
> http_access deny !Safe_ports
> http_access deny CONNECT
> http_access deny all
> log_icp_queries off
>
> This one seems to be caching. I can refresh webmin system info every few
> hours and see that /cache is growing in space used. Although, very
slowly.
>
> Amos Jeffries & tookers; I've taken the working squid.conf (above), and
> applied your suggestions to it (below). Please review this squid.conf
> (below) and make suggestions to it before I put it into production.
Okay some more bits still to do...
>
> http_port 3128
> icp_port 0
> no_cache deny QUERY
Kill the above line.
> cache_mem 512 MB
> maximum_object_size_in_memory 2048 KB
> maximum_object_size 1 GB
> cache_dir ufs /cache 500000 256 256
If you have a Linux system make that AUFS.
If you have one of the BSD systems make that diskd.
Those storage types are faster on their OS that plain ufs. Better handling
for large caches too.
> redirect_rewrites_host_header off
> cache_replacement_policy lru
I'd think "heap lru" might be better. Up to you though.
> acl QUERY urlpath_regex cgi-bin \?
Kill the above line.
> acl all src all
> acl localnet src 10.60.0.0/255.255.0.0
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/8
> acl Safe_ports port 80 443 210 119 70 21 1025-65535
> acl CONNECT method CONNECT
> http_access allow localnet
> http_access allow localhost
The above two lines should really go down ....
> http_access deny !Safe_ports
> http_access deny CONNECT
... here.
The CONNECT rule does need to be "deny CONNECT !SSL_Ports". With SSL_Ports
defining what HTTPS ports are safe to use. CONNECT can be very unsafe when
email etc ports are allowed since it opens an anonymous random destination
tunnel with no checking on what gets passed through.
> http_access deny all
> icp_access allow our_networks
> icp_access allow localhost
> icp_access deny all
> refresh_pattern \.jpg$ 3600 50% 60 ignore-reload
> refresh_pattern \.gif$ 3600 50% 60 ignore-reload
> refresh_pattern \.css$ 3600 50% 60 ignore-reload
> refresh_pattern \.js$ 3600 50% 60 ignore-reload
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern \.html$ 300 50% 10 ignore-reload
I'd shift that one http pattern above up above the ftp pattern.
Do add back the default . (dot) rule:
refresh_pattern . 0 20% 4320
Amos
Received on Tue Sep 29 2009 - 22:57:08 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 30 2009 - 12:00:03 MDT