Re: [squid-users] Re: Squid only caches a few images and TCP_Miss everything else

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 18 Jul 2013 11:58:56 +1200

On 18/07/2013 4:36 a.m., jc.yin wrote:
> Umm here's what I got after I ran the command

Okay, something to tune up ...

You may find it easier to work with if you remove the documentation
comments out of the squid.conf file permanently and use just a few
comments noting to yourself what the bits you are using are doing.

> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 198.211.119.7

This definition of what the machine LAN IP range is differs from
everything you have been demonstrating via the other tests we had you do
in the other threads.

If this is the same "reverse-proxy" you were talkign about the last few
days that should be:
   acl localnet src 192.168.1.0/24
   acl localnet src fe80::/16

matching the IP ranges shown by ifconfig (or better the "ip addr"
command) for the proxy box.

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow

Above line is useless. As mentioned in that WARNING by Squid it does
nothing and gets ignored completely. Remove it.

> http_access allow manager localhost
> http_access allow manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost

The defaut "http_access allow localnet" is missing here.

> http_access allow all
> miss_access allow all

Is this the reverse-proy box we have been discussing in the other
threads? or a completely separate one?
I see no reverse-proxy config lines in this config file at all. The
above lines just make your proxy into an "open proxy" and easily abused
by anyone on the Internet who can reach it (and you published the public
IP address earlier).

> http_port 3128 ignore-cc

"ignore-cc" is only safe on a reverse-proxy box. On any other traffic it
ignores the revalidation and staleness requirements indicated by the
client and sends the cached copy regardless of any bad effects on UX.

> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320

You are using the "." pattern here. This matches all traffic which tests
refresh_pattern. None of the refresh_pattern rules below will have any
effect.

This is lucky because you have "ignore-cc" on the port and if those
overrides like "ignore-private" on the below patterns had bee working
your users UX could have been completely screwed up with people
receiving others private response objects and refresh button in browsers
completely unable to fix the UX problems.

> cache_mem 512 MB
> cache_dir ufs /var/spool/squid3 15000 16 256
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire
> ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
> 432000 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
> 10080 90% 43200 override-expire ignore-no-cache ignore-no-store
> ignore-private
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern . 0 40% 40320
> cache_effective_user proxy
> cache_effective_group proxy
>
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-only-caches-a-few-images-and-TCP-Miss-everything-else-tp4661043p4661152.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Wed Jul 17 2013 - 23:59:12 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 18 2013 - 12:00:23 MDT