On 12/02/11 10:47, justin hyland wrote:
> Im trying to get multiple squid servers to act as front-end web
> servers for my main central apache web server, here is my setup so
> far...
So far you have an unrestricted "open proxy". Not good. See below for fixes.
>
> I have changed the IP of the apache server that this sends traffic to,
> to 123.123.123.123, fyi
> Code:
>
> # egrep -v "^#" squid.conf | sed -e '/^$/d'
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
Add:
acl to_localhost dst 0.0.0.0/32
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
NP: Missing reverse proxy ACL and http_access rules indicating what
websites you are hosting.
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
Note the http_access rules and the extra-special mention that the
reverse-proxy stuff needs to be first in the config file before any of
these forward-proxy restrictions. Order is important.
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
After placing the right accelerator http_access rules up above, this
"allow all" can be set back to the safe "deny all".
> icp_access allow all
> http_port 80 accel defaultsite=123.123.123.123 vhost
> cache_peer 123.123.123.123 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow all
> hierarchy_stoplist cgi-bin ?
Drop this hierarchy_stoplist for reverse proxies.
> cache_dir ufs /var/spool/squid 2000 16 256
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
If you have 2.7 this QUERY stuff can be dropped.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
Add right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> always_direct allow all
"always_direct allow all" overrides the one piece of security preventing
your Squid from being an open-proxy. Set the http_access correctly and
remove this or set it back to "always_direct deny all".
> coredump_dir /var/spool/squid
>
> This works wonders.. for about 4 minutes. then the requests go from
> half a second per a page load, to 5 to 10, then 30 or 40 seconds..,
> then it wont even process, the tail -f access_logs shows that its not
> even hitting apache any longer on the central server, so its like
> squid freezes up, any idea???
One of the main purposes of a reverse-proxy is to reduce load in the
backend, serving pages from the proxy cache instead. When this is
working the central Apache will not see many hits. Somewhere between 80%
and 100% of all traffic will "disappear" from the Apache log.
Look to the Squid access.log for a full record of actual visitors and
service times.
>
> I have turned off the firewall on the squid server as well as the
> central apache server, and still doesn't help much. I read through
> http://squidproxy.wordpress.com/2007...s-are-hanging/ and did all of
> it, with no avail.
>
> P.S. I doubt this is a connection issue between the servers, as the
> website WITH squid loads just as fast as apache for a few minutes,
> then slowly goes to a hault
With Squid-2 you will need to add this to your configuration file:
never_direct 0 seconds
If the problem persists after all the above changes are made then
debugging why will start to be useful.
Luis mentioned the -X -N command line options that will produce a
full debug output to the terminal/screen stdout.
Alternatively just -X will leave that same trace in Squids cache.log
for later analysis. Just watch the available disk space when doing this way.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4Received on Sat Feb 12 2011 - 21:05:50 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 13 2011 - 12:00:02 MST