[squid-users] Garbled log files
Hi All, We have a fairly sized transparent proxy (squid 3.1.12) running around 1k requests per minute. Every now and again, for some seemingly random host to some seemingly random site, squid would log a few requests completely garbled. After a second or two, the requests are logged in plain text as normal... A sample of a garbled log entry is given below. This naturally causes havoc web log file analyzers such as calamaris... 1308301729.706 20 host.name TCP_MISS/400 69453 ^SB5 http://196.43.208.18:3128/+%D4%B0%7C%84%D6 - DIRECT/196.43.208.18 text/html Any advice? -- Regards, Chris Knipe
[squid-users] Garbled log files
Hi All, We have a fairly sized transparent proxy (squid 3.1.12) running around 1k requests per minute. Every now and again, for some seemingly random host to some seemingly random site, squid would log a few requests completely garbled. After a second or two, the requests are logged in plain text as normal... A sample of a garbled log entry is given below. This naturally causes havoc web log file analyzers such as calamaris... 1308301729.706 20 host.name TCP_MISS/400 69453 ^SB5 http://196.43.208.18:3128/+%D4%B0%7C%84%D6 - DIRECT/196.43.208.18 text/html Any advice? -- Regards, Chris Knipe
[squid-users] Re: Squid + MySQL ?
On 05/08/09 10:58 -0400, Maxime Gaudreault wrote: Are you sure it works well with log rotation ? Yes, it does. Do you have a old version of File::Tail perhaps? Taken from http://search.cpan.org/~mgrabnar/File-Tail-0.99.3/Tail.pm --- If the file does not get altered for a while, File::Tail gets suspicious and startschecking if the file was truncated, or moved and recreated. If anything like that had happened, File::Tail will quietly reopen the file, and continue reading. The only way to affect what happens on reopen is by setting the reset_tail parameter (see below). The effect of this is that the scripts need not be aware when the logfiles were rotated, they will just quietly work on. --- -- Chris.
[squid-users] Re: Squid + MySQL ?
Maxime Gaudreault ha scritto:
Hi
I'm looking for a solution to save bandwidth and bandwidth saving into a MySQL
database to display some stats on a web page.
I just parse the logs real-time and insert them into mysql. The below can run
as a background process, will tail the log
and automatically insert every log entry into a DB in real time. It is aware
of log rotations and the like, so it should
never need to be restarted (touch wood).
Once the data is in the DB, it's a simple matter of some simple queries...
-- SNIP --
#!/usr/bin/perl
###
### Squid Log Traffic Accounting###
### (c)2005 Chris Knipe sav...@savage.za.org ###
###
### Version 1.1a: ###
### 2005-05-02 - Initial Coding began. ###
###
use File::Tail;
use Mysql;
use strict;
use warnings;
###
### Constants Variables ###
###
use constant DBHost = dbhost;
use constant DBName = dbname;
use constant DBUser = dbuser;
use constant DBPass = dbpass;
use constant LogFile = /var/log/squid/access.log;
###
### Code Starts ###
###
my ($File, $Line) = undef;
$File = File::Tail-new(name=LogFile, maxinterval=5, interval =1,
adjustafter=7);
while (defined($Line = $File-read)) {
my $GlobalDB = Mysql-connect(DBHost, DBName, DBUser, DBPass);
$GlobalDB-{'GlobalDB'}-{'PrintError'} = 0;
my ($When, $ElapseTime, $ClientAddress, $HTTPCode, $Size, $Method, $URL,
$Ident, $HierarchyData , $ContentType) = split (/\s+/, $Line);
my ($Timestamp, $null) = split(/\./, $When);
my $SQL = $GlobalDB-query(SELECT EntryID FROM PrePaidSquidLogs WHERE Timestamp= . $GlobalDB-quote($Timestamp) . AND ClientAddress= . $GlobalDB-quote($ClientAddress) . AND Size= . $GlobalDB-quote($Size) . AND URL=
. $GlobalDB-quote($URL) . AND Ident= . $GlobalDB-quote($Ident));
if ($SQL-numrows != 1) {
$GlobalDB-query(INSERT DELAYED INTO SquidLogs (Timestamp, ElapseTime, ClientAddress, HTTPCode, Size, Method, URL, Ident, HierarchyData, ContentType) VALUES ( . $GlobalDB-quote($Timestamp) . , .
$GlobalDB-quote($ElapseTime) . , . $GlobalDB-quote($ClientAddress) . , . $GlobalDB-quote($HTTPCode) . , . $GlobalDB-quote($Size) . , . $GlobalDB-quote($Method) . , . $GlobalDB-quote($URL) . , .
$GlobalDB-quote($Ident) . , . $GlobalDB-quote($HierarchyData) . , . $GlobalDB-quote($ContentType) . ));
}
}
-- SNIP --
--
Chris.
[squid-users] DNS Caching
Good morning, afternoon, and good evening. Quick question... Can someone explain to me HOW does squid cache DNS, and how to avoid it? We switch between a couple of live servers via DNS, bind9 and squid 2.5 Uhm... We have the following: webserver1IN86400AIP webserver2IN86400AIP webserver3IN86400AIP wwwIN1CNAMEwebserverX Now, bind9 runs with query logging as well. Squid uses the correct nameserver for queries (as indicated by cache.log), but named's query log, indicates NO queries being made from the Squid IP address (Bind + Squid on the same server). I've even changed all the below to 1 second TTL negative_ttl, positive_dns_ttl, and negative_dns_ttl. From what I can see, I have no 53/UDP traffic from Squid to our nameserver, bind indicates no queryies from squid for the URLs that we do the switching from, and we did already have a situation now where we altered the www CNAME record to point to a different server, and squid did NOT pick this up, untill after I restarted squid. What's my solution here Surely, Squid MUST honour the DNS TTL on the CNAME?? Why it is not honouring the positive/negative_dns_ttl either How can I avoid squid to cache DNS completely??? Thanks, Chris.
Re: [squid-users] Multiple ISP setup
On Tue, May 17, 2005 at 11:27:10AM +0300, Wennie V. Lagmay wrote: Now Im having a problem, we are going to add 2nd ISP, on the router side I can define policy based routing so that all IP's of ISP 1 will be routed to ISP1 and IP's of ISP 2 will be routed ro ISP2. my problem is for the squid, how can I route request from IP block of ISP1 to ISP 1 and IP block of ISP2 to ISP 2 including cache_peer to ISP1 and ISP2 ACLs, always_direct, never_direct, cache_peer_domain, uhm... And there are a couple of other things that will be of use to you as well. You can definately tell a cache_peer which destinations to forward and which not, just RTF a bit. -- Chris.
Re: [squid-users] Multiple ISP setup
NAT? -- Chris. On Tue, May 17, 2005 at 11:49:11AM +0300, Wennie V. Lagmay wrote: Another problem for this is that we dont have our own IP so each ISP provides there own IP block, the scenario is that the existing setup was configure with the 1st ISP IP block, and definetely this IP blocks is not permitted to the second ISP. IF my proxy server IP address belongs to ISP1 how can the prxy server can request to ISP 2? wennie - Original Message - From: Chris Knipe [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Tuesday, May 17, 2005 11:36 AM Subject: Re: [squid-users] Multiple ISP setup On Tue, May 17, 2005 at 11:27:10AM +0300, Wennie V. Lagmay wrote: Now Im having a problem, we are going to add 2nd ISP, on the router side I can define policy based routing so that all IP's of ISP 1 will be routed to ISP1 and IP's of ISP 2 will be routed ro ISP2. my problem is for the squid, how can I route request from IP block of ISP1 to ISP 1 and IP block of ISP2 to ISP 2 including cache_peer to ISP1 and ISP2 ACLs, always_direct, never_direct, cache_peer_domain, uhm... And there are a couple of other things that will be of use to you as well. You can definately tell a cache_peer which destinations to forward and which not, just RTF a bit. -- Chris.
Re: [squid-users] my squid box spoofed !!
On Mon, May 16, 2005 at 10:42:31AM +0300, Alex wrote: Dear All, i have a problem with my squid proxy.. suddenly its performance decrease and i never get the speed i expect from my squid box, and when i tail to access.log i find a weird line of information there,, please find it below : 1115668842.640 14680 61.224.206.211 TCP_MISS/200 824 CONNECT 205.188.156.185:25 - DIRECT/205.188.156.185 - Your squid box is a open relay for the entire world to use, and everyone is more than likely accessing the internet though it, sending thousands of spam emails, and what not. I would suggest that you have a immediate look at your ACLs and tie them down. -- Chris.
Re: [squid-users] Log file
squid -k rotate On Mon, May 16, 2005 at 12:02:38PM +0300, Wennie V. Lagmay wrote: Hi, My access.log file is this size 4443864799 May 16 11:56 access.log. can I just copy this file into another machine and delete it on my squid server without any problem? thank you, Wennie
[squid-users] authentication / acl
Hi, I've written a custom authentication handler, which does seem to work. Reads from STDIN, Authenticates, and returns either OK or ERR on STDOUT back to squid. My next step, I want to allow a certain block of addresses http_acess, deny everyone else, but also allow any request that was successfully authenticated. I've got the following in squid.conf # Authentication scripts auth_param basic program /usr/local/libexec/squid/my_auth auth_param basic children 25 auth_param basic realm Proxy Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive off The above seem to work. When using a browser, I am prompted for my username and password # ACL to setup authenticated users, as well as the src addresses of the static # addresses to allow through the proxy. acl local src x.x.x.x/y acl authenticated proxy_auth REQUIRED # http_access rules. http_access allow local http_access allow authenticated http_access deny all Basically, what happens is that squid prompts for my username and password, yet, after I enter them, squid just sits there. Error log / access log shows nothing, and the browser eventually times out. This is with squid 2.5-STABLE9 A quick debug, shows that squid is never passing the information to the authentication script, so I'm not sure what I did wrong... My auth_param should be fine though, right??? -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 09:02:23PM +1200, D E Radel wrote:
From: Chris Knipe [EMAIL PROTECTED]
I've written a custom authentication handler, which does seem to work.
Reads
from STDIN, Authenticates, and returns either OK or ERR on STDOUT back to
squid.
My next step, I want to allow a certain block of addresses http_acess,
deny
everyone else, but also allow any request that was successfully
authenticated.
I've got the following in squid.conf
# Authentication scripts
auth_param basic program /usr/local/libexec/squid/my_auth
...
A quick debug, shows that squid is never passing the information to the
authentication
script, so I'm not sure what I did wrong... My auth_param should be fine
though, right???
How are you reading the STDIN in your script? I recently was shown how:
#!/bin/sh
while read INP; do
x = `echo $INP | /usr/lib/squid/ldap_auth -R .`
I'm possitive this is right (I'll be HIGHLY surprised if it is not), but yeah.
The Radius Authentication perl script operates on the same way... Relavent
section
of the perl code
my $GlobalDB = Mysql-connect(DBHost, DBName, DBUser, DBPass);
$GlobalDB-{'GlobalDB'}-{'PrintError'} = 0;
if ($GlobalDB) {
# This is the main loop for authentication requests
while (STDIN) {
chop($_);
my @Info = split(/ /, $_);
my $SQL = $GlobalDB-query(VALIDATE USER ON MYSQL USING $INFO[0] AND
$INFO[1]);
if ($SQL-numrows != 1) {
print ERR;
} else {
print OK;
}
}
}
The queries never make it to my database. When running the script for testing
purposes, it works...
[EMAIL PROTECTED]:/usr/local/libexec/squid#
/usr/local/libexec/squid/cenergy_auth
username password
OK^C
Squid does start the perl childs to run the script. I am however doubting that
Squid actually sends the requests off to the script - the scripts never queries
anything to the database when ran from squid . :(
--
Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 11:25:49AM +0200, Chris Knipe wrote: On Wed, May 11, 2005 at 09:02:23PM +1200, D E Radel wrote: From: Chris Knipe [EMAIL PROTECTED] I've written a custom authentication handler, which does seem to work. Reads from STDIN, Authenticates, and returns either OK or ERR on STDOUT back to squid. My next step, I want to allow a certain block of addresses http_acess, deny everyone else, but also allow any request that was successfully authenticated. I've got the following in squid.conf # Authentication scripts auth_param basic program /usr/local/libexec/squid/my_auth ... A quick debug, shows that squid is never passing the information to the authentication script, so I'm not sure what I did wrong... My auth_param should be fine though, right??? Turned on some debugging... I am now seeing 2005/05/11 12:36:23| The request GET http://www.microsoft.com/ is DENIED, because it matched 'Authenticated' What is weird is that squid will accept auth_param basic program, but it wont accept authenticate_program?? -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 11:01:13PM +1200, D E Radel wrote: From: Chris Knipe [EMAIL PROTECTED] [EMAIL PROTECTED]:/usr/local/libexec/squid# /usr/local/libexec/squid/cenergy_auth username password OK^C Squid does start the perl childs to run the script. I am however doubting that Squid actually sends the requests off to the script - the scripts never queries anything to the database when ran from squid . :( What happens if you type: echo username password | /usr/local/libexec/squid/cenergy_auth [EMAIL PROTECTED]:~# echo username password | /usr/local/libexec/squid/cenergy_auth ERR [EMAIL PROTECTED]:~# echo USER PASS | /usr/local/libexec/squid/cenergy_auth OK [EMAIL PROTECTED]:~# First one is a username/password that is invalid (for testing purposes), the second is a actual user that exist - and as you can see, this is working. The authenticator queries a mysql database though, and what is bothering me EXTREMELY is that the script does not even query the database. It would seem to me that squid never pass the authentication request to the script. -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 01:08:34PM +0200, Chris Knipe wrote: On Wed, May 11, 2005 at 11:01:13PM +1200, D E Radel wrote: From: Chris Knipe [EMAIL PROTECTED] [EMAIL PROTECTED]:/usr/local/libexec/squid# /usr/local/libexec/squid/cenergy_auth username password OK^C Squid does start the perl childs to run the script. I am however doubting that Squid actually sends the requests off to the script - the scripts never queries anything to the database when ran from squid . :( What happens if you type: echo username password | /usr/local/libexec/squid/cenergy_auth [EMAIL PROTECTED]:~# echo username password | /usr/local/libexec/squid/cenergy_auth ERR [EMAIL PROTECTED]:~# echo USER PASS | /usr/local/libexec/squid/cenergy_auth OK [EMAIL PROTECTED]:~# debug from ACLs... 2005/05/11 13:13:30| aclMatchAclList: checking all 2005/05/11 13:13:30| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2005/05/11 13:13:30| aclMatchIp: '165.146.152.31' found 2005/05/11 13:13:30| aclMatchAclList: checking Authenticated 2005/05/11 13:13:30| aclMatchAcl: checking 'acl Authenticated proxy_auth REQUIRED' 2005/05/11 13:13:30| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2005/05/11 13:13:30| aclMatchAcl: returning 0 sending authentication challenge. 2005/05/11 13:13:30| aclMatchAclList: no match, returning 0 2005/05/11 13:13:30| aclCheck: requiring Proxy Auth header. 2005/05/11 13:13:30| aclCheck: match found, returning 2 2005/05/11 13:13:30| aclCheckCallback: answer=2 ^^^ and there it just sits -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 11:27:19PM +1200, D E Radel wrote: From: Chris Knipe [EMAIL PROTECTED] Turned on some debugging... I am now seeing 2005/05/11 12:36:23| The request GET http://www.microsoft.com/ is DENIED, because it matched 'Authenticated' hmm... I'm reasonably new to squid, but I would've thought that authenticated would be a reserved word. What is weird is that squid will accept auth_param basic program, but it wont accept authenticate_program?? I see authenticate_program in the list of external functions for Squid 2.4: http://squid.visolve.com/squid/squid24s1/externals.htm However, I didn't see auth_param in that list. Perhaps authenticate_program is depreciated and we are to use auth_param now? I see that auth_param is in the Squid 3.0 manual, but authenticate_program isn't: http://squid.visolve.com/squid/squid30/externalsupport.html#auth_param Hmmm ok Well I did add some debugging to my custom auth perl script via syslog... It never receives anything from squid to authenticate, and that's what debug tells me $_ is always empty as far as my script goes. This is definately something with my squid config that is not on par... -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 11:50:28PM +1200, D E Radel wrote: Hmmm ok Well I did add some debugging to my custom auth perl script via syslog... It never receives anything from squid to authenticate, and that's what debug tells me $_ is always empty as far as my script goes. This is definately something with my squid config that is not on par... -- Chris. These lines look ok: auth_param basic program /usr/local/libexec/squid/my_auth auth_param basic children 25 auth_param basic realm Proxy Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Perhaps the word authenticated is a reserved word in Squid? acl authenticated proxy_auth REQUIRED http_access allow authenticated I already changed the acl name. It made no difference. Just a thought. When using authentication, I think you may not need the following lines: acl local src x.x.x.x/y http_access allow local No errors when you manually restart squid from the commandline? Dietrich This is for a network that should pass through the proxy without authentication. I did try without it - everything is still 100% the same *shrugs* -- Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 02:00:16PM +0200, Henrik Nordstrom wrote:
On Wed, 11 May 2005, Chris Knipe wrote:
Basically, what happens is that squid prompts for my username and
password, yet,
after I enter them, squid just sits there. Error log / access log shows
nothing,
and the browser eventually times out. This is with squid 2.5-STABLE9
The usual cause to this is if you forgot to disable output buffering in
your custom authenticator program. The UNIX libc by default buffers
output.
In perl:
$|=1;
Hendrik,
You're not going to believe me, but I have tried that
Originally, the script did have buffering off... Enabled / Disabled, still
the same.
The *entire* script with confidential stuff removed...
use Mysql;
use Sys::Syslog;
use strict;
use warnings;
###
### Constants Variables ###
###
use constant DBHost = DBHOST;
use constant DBName = DBNAME;
use constant DBUser = DBUSER;
use constant DBPass = DBPASS;
###
### Code Starts ###
###
# Disable output buffering
$|=1;
my $GlobalDB = Mysql-connect(DBHost, DBName, DBUser, DBPass);
$GlobalDB-{'GlobalDB'}-{'PrintError'} = 0;
if ($GlobalDB) {
# This is the main loop for authentication requests
while (STDIN) {
syslog('info', 'Received: ', $_);
chop($_);
my @Info = split(/ /, $_);
my $SQL = $GlobalDB-query(SELECT CustData.isProxy AS Validated FROM
CustData LEFT JOIN SquidUsers ON CustData.EntryID=SquidUsers.CustID WHERE
SquidUsers.isActive='y' AND SquidUsers.Qouta 100 AND CustData.isProxy='y' AND
CustData.isActive='y' AND CustData.DebtCode=' . $Info[0] . ' AND
CustData.Password=' . $Info[1] . ');
if ($SQL-numrows != 1) {
print ERR\n;
} else {
print OK\n;
}
}
} else {
syslog('info', 'Dataconnection failed');
}
What is scaring, is that I have absolutely NOTHING reported by syslog
--
Chris.
Re: [squid-users] authentication / acl
On Wed, May 11, 2005 at 02:02:12PM +0200, Chris Knipe wrote:
# This is the main loop for authentication requests
while (STDIN) {
^
Either squid, or perl does not like this
while (my $Input = STDIN) {
Works :)
*yay* it only took me a day to figure this out!! *shrugs*
Thanks for the help guys,
Chris.
[squid-users] traffic accounting
Righty :) I have my authenticator working I have my squid logs parsed and inserted into MySQL real time... I have all the data that squid provides. A couple of questions... I know that squid will only make a entry in it's log file once a request has been completed. This makes sense, as it is the most accurate way for squid to log where the object came from, how big it is, and allot of other things as well. Now, are aborted downloads loged as well??? And most importaintly, how is streaming audio / video handled??? Basically, it boils down to how accurate is access.log in regards to its logging, and most importantly the size aspect in the log file for object? Is there anything I need to be 'aware' of in regards to ensuring that my access.log stays up to date and accurate? I'm not using buffered logs, and I'm not resolving IP addresses either (to try speed things up). Anything else??? -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
[squid-users] Fw: logging
Hi, I was just wondering quickly... Can squid log to pipes??? I want to log to a application to insert the logs in real time to a mysql database... Something similar to 'cronolog' that is used with Apache... Thanks, -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
Re: [squid-users] No cache to one IP address
- Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: razidan [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Monday, March 07, 2005 1:45 PM Subject: Re: [squid-users] No cache to one IP address On Mon, 7 Mar 2005, razidan wrote: hi! I'm trying to configure squid so that web traffic to my IP address will ^^^ not be cached. I added the following line into squid.conf but it's still caching all the websites i visit. acl ipnocache src 192.168.0.14 Excuse me. But shouldn't it be dst ? (match TO 192.168.0.14, not FROM) ? -- Chris.
[squid-users] two simple questions
Hi, Just 2 quickies... 1) Does squid cache objects locally fetched from a SIBLING parent?, and 2) Whilst I know squid is not a RTSP / MMS / add your fav streaming protocol here, what is the standing on HTTP streaming? Things like NetAPP proxies have a feature where a stream is fetched only once, and then distributed from the cache to the clients accessing the specific stream. Can something similar be possible on squid (obviously, limited to HTTP streaming only). I'm mostly interested in somehow getting shoutcast streams to be fetched only once and distributed from the cache to clients. Thus, I actually only have one connection from the proxy to the stream, and can have say 40 from the proxy to the clients I hope this makes sense... -- Chris.
[squid-users] always / never_direct
Lo all, Can someone please just assit me with always/never_direct? I have two cache peers configured. The one will be used per default, the other only for certain IP addresses. cache_peer x.x.x.x parent 3128 0 cache_peer y.y.y.y parent 3128 0 Then, I have a ACL to setup the certain IP addresses. acl blah dst a.a.a.a/b Lastly, I have the access list to allow only the certain addresses via the peer. cache_peer_access x.x.x.x allow blah Now, by default, my proxy seems to want to fetch everything directly and ignores the cache peers all together. I suspect what I need now, is always/never_direct, to force squid to ALWAYS use cache_peer x.x.x.x for acl blah, and ALWAYS use cache_peer y.y.y.y for the rest. Can anyone give me the one or two lines required? :) I tried never_direct deny blah (and always_direct deny blah) - to no avail though. Squid still hapily fetches the objects directly. -- Chris.
[squid-users] custom auth handlers...
Lo all, Simple question I think... It's more than likely a error with a 3 line bash script... But ja err, I have squid.conf: auth_param basic program /usr/local/libexec/squid/auth.pl auth_param basic children 15 auth_param basic realm Private Proxy authenticate_ttl 3600 seconds authenticate_ip_ttl 86400 seconds then... auth.pl is really simple: echo $1 $2 /usr/local/libexec/squid/auth.log echo OK This work... Any username / password gets authenticated and are allowed access though the proxy. However, according to auth.log, $1 and $2 is empty... How / What does squid give to the script? Because according to the web sites, it should be the username and the password, but I don't seem to get any variables... Yes, I know this is EXTREMELY basic... The idea is that I would have a custom auth handler to authenticate users via a database of some sort. Thanks for the help, -- me
[squid-users] always/never_direct....
Lo all, I seem to not understand always_direct / never_direct properly acl local src 66.18.x.x/29 cache_peer a.a.a.a parent 3128 0 no-query no-digest no-netdb-exchange round-robin cache_peer b.b.b.b parent 3128 0 no-query no-digest no-netdb-exchange round-robin cache_peer c.c.c.c parent 3128 0 no-query no-digest no-netdb-exchange round-robin always_direct allow local never_direct allow all The basic idea is that everything is fetched from the parent cache, EXCEPT for those (destination) ip addresses specified in local... EVERYTHING else, gets fetched from the parent caches provided squid does not have it cached locally already (different between sibling and parent cache, right?)... The clients are in 192.168.1.0/24 accessing squid transparently... So, what's wrong with this picture... I'm pretty sure I am missing something in the never/always_direct, but I'm not sure what. On another note, I average about a 40% hit rate at the moment... With allot of refresh_patterns, and only a mere 512MB proxy dir Would adding another 1GB or so for squid make any significant changes to the hit rate?? And, whilst I know it prob wont be recommended, will a cache_dir operate successfully on a NFS Mount?? Regards, Chris.
[squid-users] Re: always/never_direct....
OK, Nevermind, I saw my fault on the ACL and it's working nicely now :)) Thanks, - Original Message - From: Chris Knipe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:24 PM Subject: always/never_direct Lo all, I seem to not understand always_direct / never_direct properly acl local src 66.18.x.x/29 cache_peer a.a.a.a parent 3128 0 no-query no-digest no-netdb-exchange round-robin cache_peer b.b.b.b parent 3128 0 no-query no-digest no-netdb-exchange round-robin cache_peer c.c.c.c parent 3128 0 no-query no-digest no-netdb-exchange round-robin always_direct allow local never_direct allow all The basic idea is that everything is fetched from the parent cache, EXCEPT for those (destination) ip addresses specified in local... EVERYTHING else, gets fetched from the parent caches provided squid does not have it cached locally already (different between sibling and parent cache, right?)... The clients are in 192.168.1.0/24 accessing squid transparently... So, what's wrong with this picture... I'm pretty sure I am missing something in the never/always_direct, but I'm not sure what. On another note, I average about a 40% hit rate at the moment... With allot of refresh_patterns, and only a mere 512MB proxy dir Would adding another 1GB or so for squid make any significant changes to the hit rate?? And, whilst I know it prob wont be recommended, will a cache_dir operate successfully on a NFS Mount?? Regards, Chris.
Re: [squid-users] squid 2.5-stable4 and mrtg 2.9.29
kraken squid # snmpwalk -c public -v 1 localhost:3401 SNMPv1_Session (remote host: kraken.transwitch.co.za [192.168.199.2].3401) Check where you are querying, and check your ACLs. -- me
[squid-users] store dirs...
Lo all, Very quickly... Can two separate squid proxies share a single store directory?? Say, two separate machines, sharing a single store directory via a SAN or a NAS. Thanks, me
Re: [squid-users] peering
On my parent proxy however, I get constant 403's when the sibling tries to query it. I suspect it is a acl that I am missing, but I'm not sure what... The other peer needs to be allowed to access the server in http_access. If not they will be given 403 on attempt to access the cache, just as any other http client not allowed by http_access. Yup. Thanks Hendrik, I've seem to sort it out. Appart from a small glitch in the ACL, I seemed to have made a mistake with miss_access as well. A couple of minutes on google did fix it however. 1058645715.781 4 x.x.x TCP_DENIED/403 1469 GET y.y.y:3128/squid-internal-dynamic/netdb - NONE/- text/html Is it intentional to use netdb exchanges? If not disable them in the cache_peer line.. Okkies, will do that... It's all working brilliantly now though... My hit rates went up with an additional 40% odd, so I'm quite impressed. :) -- me
[squid-users] peering
Lo everyone, I have setup two squid servers in a parent sibling relation. The peering itself seems to be setup correctly, both proxies start, and I can see that both proxies contact each other via the cache log. On my parent proxy however, I get constant 403's when the sibling tries to query it. I suspect it is a acl that I am missing, but I'm not sure what... 1058645715.781 4 x.x.x TCP_DENIED/403 1469 GET y.y.y:3128/squid-internal-dynamic/netdb - NONE/- text/html x.x.x.x is my sibling proxy, plain and simply setup with: cache_peer y.y.y.y parent 3128 3130 default I have given x.x.x.x ICMP Query access (ACL), as well as http query access. What am I missing?
