Re: [squid-users] Advice on Cache Peer ACLs
Thanks for the great explanation. Much appreciated. On Fri, Aug 30, 2019, at 2:10 PM, Alex Rousskov wrote: > On 8/30/19 2:41 PM, sq...@buglecreek.com wrote: > > > All requests will always start with www.example.com / or > > origin-www.example.com/ > > If that is true, why check domain names at all? When you write an ACL > that checks for X, it is reasonable to assume that X may not happen. My > evaluation of your rules made that assumption. > > > Are you saying I should have the following for .4 and .5 instead of what > > I'm currently using? > > > > cache_peer 192.168.1.5 parent 80 0 no-query no-digest > > connect-fail-limit=10 weight=1 originserver round-robin > > cache_peer_access 192.168.1.5 allow limited > > cache_peer_access 192.168.1.5 allow all_requests > > cache_peer_access 192.168.1.5 deny all > > No, the above does not match what you want to achieve AFAICT. If domain > names matter, then you should have something like this: > > > cache_peer_access 192.168.1.5 allow limited all_requests > > cache_peer_access 192.168.1.5 deny all > > > Needless to say, the name "all_requests" is very misleading, pointing to > the same inconsistency/problem we are discussing. I will use "myDomains" > below but you may find a better name based on your business logic. > > The "limited" name also looks like a poor choice because all ACLs > (except "all") limit matching. I will use mapOneOrTwo below instead. > > If you fix the names, the rules become simpler/readable. For example: > > cache_peer_access 192.168.1.1 deny mapOneOrTwo > cache_peer_access 192.168.1.1 allow myDomains > cache_peer_access 192.168.1.1 deny all > > ... > > cache_peer_access 192.168.1.5 allow mapOneOrTwo myDomains > cache_peer_access 192.168.1.5 deny all > > > You can achieve even better clarity if you use negation, but I usually > recommend against negating ACLs: > > cache_peer_access 192.168.1.1 allow !mapOneOrTwo myDomains > cache_peer_access 192.168.1.1 deny all > > ... > > cache_peer_access 192.168.1.5 allow mapOneOrTwo myDomains > cache_peer_access 192.168.1.5 deny all > > > > Finally, if domain names do _not_ matter, then you will just have: > > cache_peer_access 192.168.1.1 deny mapOneOrTwo > cache_peer_access 192.168.1.1 allow all > > ... > > cache_peer_access 192.168.1.5 allow mapOneOrTwo > cache_peer_access 192.168.1.5 deny all > > > HTH, > > Alex. > P.S. If possible, mapOneOrTwo should be replaced with something more > meaningful according to your business logic. > > > > On Fri, Aug 30, 2019, at 11:41 AM, Alex Rousskov wrote: > >> On 8/30/19 11:44 AM, cred...@eml.cc wrote: > >>> We use several squid servers in accelerator mode for load balancing to > >>> send public requests to backend servers. The squids don't do any > >>> caching, they just forward requests to the backend. > >>> > >>> We have cache_peer directives to send the incoming requests to the > >>> backend Apache servers. What I need to do is send requests to a certain > >>> page to a specific backend server and all others to the other backends. > >>> The site has many pages, subpages etc. > >>> > >>> What I want to do is if someone requests: > >>> https://www.example.com/anything/anything/script.php or > >>> https://origin-www.example.com/anything/anything/etc/etc/script.php > >>> > >>> Send the request to only .1, .2,.3. > >>> > >>> If someone requests : > >>> https://www.example.com/anything/tst/map2/script.php or > >>> https://origin-www.example.com/anything/anything/tst/map1/etc/script.php > >>> > >>> Send that request only to .4 and .5. > >>> > >>> It seems to work most of the time, but tailing the access logs on the > >>> servers I sometimes see one of the requests for ../tst/map2/... or map1 > >>> show up on .1,.2, or .3. > >> > >> > >> Do Squid access logs have the corresponding records as well? What cache > >> peer selection algorithm does Squid record for those misdirected > >> transactions? > >> > >> > >>> Is there something I'm missing? > >> > >> Could Squid go direct to one of those origin servers (e.g., when all > >> eligible cache peers were down)? > >> > >> BTW, please note that your cache_peer_access rules look inconsistent: > >> Your cache_peer_access .1-3 rules require certain domain names but .4-5 > >> rules do not. This does not explain the discrepancy you are describing > >> above, but you may want to adjust your rules for consistency sake > >> (either to ignore dstdomain completely or to require correct domains for > >> all cache peers). > >> > >> > >> HTH, > >> > >> Alex. > >> > >> > >>> acl all_requests dstdomain -n www.example.com origin-www.example.com > >>> acl limited url_regex -i /tst/map1|/tst/map2 > >>> > >>> > >>> cache_peer 192.168.1.1 parent 80 0 no-query no-digest > >>> connect-fail-limit=10 weight=1 originserver round-robin > >>> cache_peer_access 192.168.1.1 deny limited > >>> cache_peer_access 192.168.1.1 allow all_requests > >>> cache_peer_access 192.168.1.1
Re: [squid-users] Advice on Cache Peer ACLs
On 8/30/19 2:41 PM, sq...@buglecreek.com wrote: > All requests will always start with www.example.com / or > origin-www.example.com/ If that is true, why check domain names at all? When you write an ACL that checks for X, it is reasonable to assume that X may not happen. My evaluation of your rules made that assumption. > Are you saying I should have the following for .4 and .5 instead of what I'm > currently using? > > cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.5 allow limited > cache_peer_access 192.168.1.5 allow all_requests > cache_peer_access 192.168.1.5 deny all No, the above does not match what you want to achieve AFAICT. If domain names matter, then you should have something like this: > cache_peer_access 192.168.1.5 allow limited all_requests > cache_peer_access 192.168.1.5 deny all Needless to say, the name "all_requests" is very misleading, pointing to the same inconsistency/problem we are discussing. I will use "myDomains" below but you may find a better name based on your business logic. The "limited" name also looks like a poor choice because all ACLs (except "all") limit matching. I will use mapOneOrTwo below instead. If you fix the names, the rules become simpler/readable. For example: cache_peer_access 192.168.1.1 deny mapOneOrTwo cache_peer_access 192.168.1.1 allow myDomains cache_peer_access 192.168.1.1 deny all ... cache_peer_access 192.168.1.5 allow mapOneOrTwo myDomains cache_peer_access 192.168.1.5 deny all You can achieve even better clarity if you use negation, but I usually recommend against negating ACLs: cache_peer_access 192.168.1.1 allow !mapOneOrTwo myDomains cache_peer_access 192.168.1.1 deny all ... cache_peer_access 192.168.1.5 allow mapOneOrTwo myDomains cache_peer_access 192.168.1.5 deny all Finally, if domain names do _not_ matter, then you will just have: cache_peer_access 192.168.1.1 deny mapOneOrTwo cache_peer_access 192.168.1.1 allow all ... cache_peer_access 192.168.1.5 allow mapOneOrTwo cache_peer_access 192.168.1.5 deny all HTH, Alex. P.S. If possible, mapOneOrTwo should be replaced with something more meaningful according to your business logic. > On Fri, Aug 30, 2019, at 11:41 AM, Alex Rousskov wrote: >> On 8/30/19 11:44 AM, cred...@eml.cc wrote: >>> We use several squid servers in accelerator mode for load balancing to send >>> public requests to backend servers. The squids don't do any caching, they >>> just forward requests to the backend. >>> >>> We have cache_peer directives to send the incoming requests to the backend >>> Apache servers. What I need to do is send requests to a certain page to a >>> specific backend server and all others to the other backends. The site >>> has many pages, subpages etc. >>> >>> What I want to do is if someone requests: >>> https://www.example.com/anything/anything/script.php or >>> https://origin-www.example.com/anything/anything/etc/etc/script.php >>> >>> Send the request to only .1, .2,.3. >>> >>> If someone requests : >>> https://www.example.com/anything/tst/map2/script.php or >>> https://origin-www.example.com/anything/anything/tst/map1/etc/script.php >>> >>> Send that request only to .4 and .5. >>> >>> It seems to work most of the time, but tailing the access logs on the >>> servers I sometimes see one of the requests for ../tst/map2/... or map1 >>> show up on .1,.2, or .3. >> >> >> Do Squid access logs have the corresponding records as well? What cache >> peer selection algorithm does Squid record for those misdirected >> transactions? >> >> >>> Is there something I'm missing? >> >> Could Squid go direct to one of those origin servers (e.g., when all >> eligible cache peers were down)? >> >> BTW, please note that your cache_peer_access rules look inconsistent: >> Your cache_peer_access .1-3 rules require certain domain names but .4-5 >> rules do not. This does not explain the discrepancy you are describing >> above, but you may want to adjust your rules for consistency sake >> (either to ignore dstdomain completely or to require correct domains for >> all cache peers). >> >> >> HTH, >> >> Alex. >> >> >>> acl all_requests dstdomain -n www.example.com origin-www.example.com >>> acl limited url_regex -i /tst/map1|/tst/map2 >>> >>> >>> cache_peer 192.168.1.1 parent 80 0 no-query no-digest connect-fail-limit=10 >>> weight=1 originserver round-robin >>> cache_peer_access 192.168.1.1 deny limited >>> cache_peer_access 192.168.1.1 allow all_requests >>> cache_peer_access 192.168.1.1 deny all >>> >>> cache_peer 192.168.1.2 parent 80 0 no-query no-digest connect-fail-limit=10 >>> weight=1 originserver round-robin >>> cache_peer_access 192.168.1.2 deny limited >>> cache_peer_access 192.168.1.2 allow all_requests >>> cache_peer_access 192.168.1.2 deny all >>> >>> cache_peer 192.168.1.3 parent 80 0 no-query no-digest connect-fail-limit=10 >>> weight=1
Re: [squid-users] Advice on Cache Peer ACLs
Thank you for the reply. It appears that I had a IP address typo in one of the cache_peer lines that allowed the requests with /tst/map1 or map2 to slip bye. It appears to be working. I think you confirmed what I'm trying to do should work. One question about your last statement concerning inconsistent domain names. All requests will always start with www.example.com / or origin-www.example.com/. even the ones what I'm trying to send to specific backends using the "limited" acl. Are you saying I should have the following for .4 and .5 instead of what I'm currently using? cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.5 allow limited cache_peer_access 192.168.1.5 allow all_requests cache_peer_access 192.168.1.5 deny all I was trying to limit the requests to .4 and .5 to only those that contained /tst/map1 or map2. I thought if I included the "allow all_requests" line in .4 and .5 it would send requests that also did not include /tst/map2 or map2. For example "origin-www.example.com/hello/test/etc" could possibly be sent to .4 and .5 as well. How do I ensure that www.example.com/tst/map1/. and map2 only go to .4 and .5 while still correctly being consistent with the domain was you suggested. Thanks. On Fri, Aug 30, 2019, at 11:41 AM, Alex Rousskov wrote: > On 8/30/19 11:44 AM, cred...@eml.cc wrote: > > We use several squid servers in accelerator mode for load balancing to send > > public requests to backend servers. The squids don't do any caching, they > > just forward requests to the backend. > > > > We have cache_peer directives to send the incoming requests to the backend > > Apache servers. What I need to do is send requests to a certain page to a > > specific backend server and all others to the other backends. The site > > has many pages, subpages etc. > > > > What I want to do is if someone requests: > > https://www.example.com/anything/anything/script.php or > > https://origin-www.example.com/anything/anything/etc/etc/script.php > > > > Send the request to only .1, .2,.3. > > > > If someone requests : > > https://www.example.com/anything/tst/map2/script.php or > > https://origin-www.example.com/anything/anything/tst/map1/etc/script.php > > > > Send that request only to .4 and .5. > > > > It seems to work most of the time, but tailing the access logs on the > > servers I sometimes see one of the requests for ../tst/map2/... or map1 > > show up on .1,.2, or .3. > > > Do Squid access logs have the corresponding records as well? What cache > peer selection algorithm does Squid record for those misdirected > transactions? > > > > Is there something I'm missing? > > Could Squid go direct to one of those origin servers (e.g., when all > eligible cache peers were down)? > > BTW, please note that your cache_peer_access rules look inconsistent: > Your cache_peer_access .1-3 rules require certain domain names but .4-5 > rules do not. This does not explain the discrepancy you are describing > above, but you may want to adjust your rules for consistency sake > (either to ignore dstdomain completely or to require correct domains for > all cache peers). > > > HTH, > > Alex. > > > > acl all_requests dstdomain -n www.example.com origin-www.example.com > > acl limited url_regex -i /tst/map1|/tst/map2 > > > > > > cache_peer 192.168.1.1 parent 80 0 no-query no-digest connect-fail-limit=10 > > weight=1 originserver round-robin > > cache_peer_access 192.168.1.1 deny limited > > cache_peer_access 192.168.1.1 allow all_requests > > cache_peer_access 192.168.1.1 deny all > > > > cache_peer 192.168.1.2 parent 80 0 no-query no-digest connect-fail-limit=10 > > weight=1 originserver round-robin > > cache_peer_access 192.168.1.2 deny limited > > cache_peer_access 192.168.1.2 allow all_requests > > cache_peer_access 192.168.1.2 deny all > > > > cache_peer 192.168.1.3 parent 80 0 no-query no-digest connect-fail-limit=10 > > weight=1 originserver round-robin > > cache_peer_access 192.168.1.3 deny limited > > cache_peer_access 192.168.1.3 allow all_requests > > cache_peer_access 192.168.1.3 deny all > > > > cache_peer 192.168.1.4 parent 80 0 no-query no-digest connect-fail-limit=10 > > weight=1 originserver round-robin > > cache_peer_access 192.168.1.4 allow limited > > cache_peer_access 192.168.1.4 deny all > > > > cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 > > weight=1 originserver round-robin > > cache_peer_access 192.168.1.5 allow limited > > cache_peer_access 192.168.1.5 deny all > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice on Cache Peer ACLs
On 8/30/19 11:44 AM, cred...@eml.cc wrote: > We use several squid servers in accelerator mode for load balancing to send > public requests to backend servers. The squids don't do any caching, they > just forward requests to the backend. > > We have cache_peer directives to send the incoming requests to the backend > Apache servers. What I need to do is send requests to a certain page to a > specific backend server and all others to the other backends. The site has > many pages, subpages etc. > > What I want to do is if someone requests: > https://www.example.com/anything/anything/script.php or > https://origin-www.example.com/anything/anything/etc/etc/script.php > > Send the request to only .1, .2,.3. > > If someone requests : > https://www.example.com/anything/tst/map2/script.php or > https://origin-www.example.com/anything/anything/tst/map1/etc/script.php > > Send that request only to .4 and .5. > > It seems to work most of the time, but tailing the access logs on the servers > I sometimes see one of the requests for ../tst/map2/... or map1 show up on > .1,.2, or .3. Do Squid access logs have the corresponding records as well? What cache peer selection algorithm does Squid record for those misdirected transactions? > Is there something I'm missing? Could Squid go direct to one of those origin servers (e.g., when all eligible cache peers were down)? BTW, please note that your cache_peer_access rules look inconsistent: Your cache_peer_access .1-3 rules require certain domain names but .4-5 rules do not. This does not explain the discrepancy you are describing above, but you may want to adjust your rules for consistency sake (either to ignore dstdomain completely or to require correct domains for all cache peers). HTH, Alex. > acl all_requests dstdomain -n www.example.com origin-www.example.com > acl limited url_regex -i /tst/map1|/tst/map2 > > > cache_peer 192.168.1.1 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.1 deny limited > cache_peer_access 192.168.1.1 allow all_requests > cache_peer_access 192.168.1.1 deny all > > cache_peer 192.168.1.2 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.2 deny limited > cache_peer_access 192.168.1.2 allow all_requests > cache_peer_access 192.168.1.2 deny all > > cache_peer 192.168.1.3 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.3 deny limited > cache_peer_access 192.168.1.3 allow all_requests > cache_peer_access 192.168.1.3 deny all > > cache_peer 192.168.1.4 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.4 allow limited > cache_peer_access 192.168.1.4 deny all > > cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 > weight=1 originserver round-robin > cache_peer_access 192.168.1.5 allow limited > cache_peer_access 192.168.1.5 deny all ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Advice on Cache Peer ACLs
We use several squid servers in accelerator mode for load balancing to send public requests to backend servers. The squids don't do any caching, they just forward requests to the backend. We have cache_peer directives to send the incoming requests to the backend Apache servers. What I need to do is send requests to a certain page to a specific backend server and all others to the other backends. The site has many pages, subpages etc. What I want to do is if someone requests: https://www.example.com/anything/anything/script.php or https://origin-www.example.com/anything/anything/etc/etc/script.php Send the request to only .1, .2,.3. If someone requests : https://www.example.com/anything/tst/map2/script.php or https://origin-www.example.com/anything/anything/tst/map1/etc/script.php Send that request only to .4 and .5. It seems to work most of the time, but tailing the access logs on the servers I sometimes see one of the requests for ../tst/map2/... or map1 show up on .1,.2, or .3. Is there something I'm missing? Here is what I have so far. acl all_requests dstdomain -n www.example.com origin-www.example.com acl limited url_regex -i /tst/map1|/tst/map2 cache_peer 192.168.1.1 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.1 deny limited cache_peer_access 192.168.1.1 allow all_requests cache_peer_access 192.168.1.1 deny all cache_peer 192.168.1.2 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.2 deny limited cache_peer_access 192.168.1.2 allow all_requests cache_peer_access 192.168.1.2 deny all cache_peer 192.168.1.3 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.3 deny limited cache_peer_access 192.168.1.3 allow all_requests cache_peer_access 192.168.1.3 deny all cache_peer 192.168.1.4 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.4 allow limited cache_peer_access 192.168.1.4 deny all cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin cache_peer_access 192.168.1.5 allow limited cache_peer_access 192.168.1.5 deny all ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice - Squid Proxy
> So, Squid is installed on an Ubuntu VM, which runs on your laptop? Correct > So, the phone is either - direct connection via mobile Internet access, or > via Squid and your home Internet connection - no way for the phone to use the > Internet connection without going via Squid? Yeah - however I use bitdefender on top of squid. Once the phone detects and connects to my laptop it then uses the proxy server > Configured it in Squid, so users have to authenticate there to get access? Yeah - I have an ACL running in Squid > So, where do any other devices (phone, TV, the three VMs) get their IP > addresses from? They must have them, otherwise they couldn't communicate > with Squid... What do these devices have as a gateway address? I use dhcp allocated from ubuntu, the gateway address that’s broadcast is my Ubuntu address. I'm writing this and thinking I've gone a bit Orwellian. Still I think I've covered the bases. I was toying with the idea of running Asterix off my laptop too, but I figured I'd start with this project. -Original Message- From: squid-users On Behalf Of Antony Stone Sent: 19 December 2018 16:17 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Advice - Squid Proxy On Wednesday 19 December 2018 at 16:04:36, Squid users wrote: > Hi, > > Re network diagram - Mish Mash / blended / spaghetti I think :p > > Squid is installed on the Ubuntu virtual machine. Sorry forgot to draw > that on. So, Squid is installed on an Ubuntu VM, which runs on your laptop? > The phone connects to mobile internet when out of the house, then > reverts back to going via squid proxy when my laptop wifi is turned > on. The phone detects my laptop and connects accordingly. The phone > reconfigures to go via proxy when it connects to my laptop. So, the phone is either - direct connection via mobile Internet access, or via Squid and your home Internet connection - no way for the phone to use the Internet connection without going via Squid? > As for the TV - yeah my laptop needs to be in the house for that to work. Okay. > Internet Use - I'm happy to record websites called by 'user' so for > example: Tv=user1 > Phone=user2 > Laptop user=user3 > Then each family member with their own user id /password. > I've configured this bit already Configured it in Squid, so users have to authenticate there to get access? > I have set my home internet router to only allocate my laptop mac a > DHCP address So, where do any other devices (phone, TV, the three VMs) get their IP addresses from? They must have them, otherwise they couldn't communicate with Squid... What do these devices have as a gateway address? > I'll draw a better diagram later today. Okay. > I may have gone a bit overboard with the control and monitoring :s Yes, maybe :) Antony. -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice - Squid Proxy
On Wednesday 19 December 2018 at 16:04:36, Squid users wrote: > Hi, > > Re network diagram - Mish Mash / blended / spaghetti I think :p > > Squid is installed on the Ubuntu virtual machine. Sorry forgot to draw that > on. So, Squid is installed on an Ubuntu VM, which runs on your laptop? > The phone connects to mobile internet when out of the house, then reverts > back to going via squid proxy when my laptop wifi is turned on. The phone > detects my laptop and connects accordingly. The phone reconfigures to go > via proxy when it connects to my laptop. So, the phone is either - direct connection via mobile Internet access, or via Squid and your home Internet connection - no way for the phone to use the Internet connection without going via Squid? > As for the TV - yeah my laptop needs to be in the house for that to work. Okay. > Internet Use - I'm happy to record websites called by 'user' so for > example: Tv=user1 > Phone=user2 > Laptop user=user3 > Then each family member with their own user id /password. > I've configured this bit already Configured it in Squid, so users have to authenticate there to get access? > I have set my home internet router to only allocate my laptop mac a DHCP > address So, where do any other devices (phone, TV, the three VMs) get their IP addresses from? They must have them, otherwise they couldn't communicate with Squid... What do these devices have as a gateway address? > I'll draw a better diagram later today. Okay. > I may have gone a bit overboard with the control and monitoring :s Yes, maybe :) Antony. -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice - Squid Proxy
Hi, Re network diagram - Mish Mash / blended / spaghetti I think :p Squid is installed on the Ubuntu virtual machine. Sorry forgot to draw that on. The phone connects to mobile internet when out of the house, then reverts back to going via squid proxy when my laptop wifi is turned on. The phone detects my laptop and connects accordingly. The phone reconfigures to go via proxy when it connects to my laptop. As for the TV - yeah my laptop needs to be in the house for that to work. Internet Use - I'm happy to record websites called by 'user' so for example: Tv=user1 Phone=user2 Laptop user=user3 Then each family member with their own user id /password. I've configured this bit already I have set my home internet router to only allocate my laptop mac a DHCP address I'll draw a better diagram later today. I may have gone a bit overboard with the control and monitoring :s Thanks -Original Message- From: squid-users On Behalf Of Antony Stone Sent: 19 December 2018 13:19 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Advice - Squid Proxy On Wednesday 19 December 2018 at 13:22:57, Squid users wrote: > The attached configuration is currently in use on my computer. It isn't a network diagram; I'm not quite sure what to describe it as, but I don't even see where Squid is on there. > My aim is to use my laptop while I'm out and about (libraries, work > etc) and when I'm at home have my TV and Phone connect into the proxy server. > This would allow caching by any device to my laptop so I'm minimising > my connections outbound. So, Squid runs on your laptop? What are the phone and TV supposed to do when the laptop isn't there? > I also want it to record use by other people so I can monitor my > internet use at home. Define "use". What level of detail do you want to record? > As you can see I run bitdefender parental control on my computer. > Would it be possible for someone to manipulate the proxy server to bypass > this? > Could the proxy server be used to hide / obscure actual sites visited? Show us a rather more conventional network diagram, which shows how packets get to & from the Internet, and what filters / firewalls are in place between different bits of equipment, and we might be able to asnwer this. Antony. -- "Can you keep a secret?" "Well, I shouldn't really tell you this, but... no." Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice - Squid Proxy
On Wednesday 19 December 2018 at 13:22:57, Squid users wrote: > The attached configuration is currently in use on my computer. It isn't a network diagram; I'm not quite sure what to describe it as, but I don't even see where Squid is on there. > My aim is to use my laptop while I'm out and about (libraries, work etc) > and when I'm at home have my TV and Phone connect into the proxy server. > This would allow caching by any device to my laptop so I'm minimising my > connections outbound. So, Squid runs on your laptop? What are the phone and TV supposed to do when the laptop isn't there? > I also want it to record use by other people so I can monitor my internet > use at home. Define "use". What level of detail do you want to record? > As you can see I run bitdefender parental control on my computer. Would it > be possible for someone to manipulate the proxy server to bypass this? > Could the proxy server be used to hide / obscure actual sites visited? Show us a rather more conventional network diagram, which shows how packets get to & from the Internet, and what filters / firewalls are in place between different bits of equipment, and we might be able to asnwer this. Antony. -- "Can you keep a secret?" "Well, I shouldn't really tell you this, but... no." Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Advice - Squid Proxy
The attached configuration is currently in use on my computer. My aim is to use my laptop while I'm out and about (libraries, work etc) and when I'm at home have my TV and Phone connect into the proxy server. This would allow caching by any device to my laptop so I'm minimising my connections outbound. I also want it to record use by other people so I can monitor my internet use at home. As you can see I run bitdefender parental control on my computer. Would it be possible for someone to manipulate the proxy server to bypass this? Could the proxy server be used to hide / obscure actual sites visited? Can anyone point out any flaws or issues. Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?
On 16/07/2013 5:02 a.m., Michele Bergonzoni wrote: I would like to hear your advice about kerberos auth configuration on a new installation. This will be an installation with two redundant Linux based servers, clients will be mostly windows joined to active directory, with AD users logged in. The main focus of the installation is authentication and per-group or per-user policy. I would like to keep user experience as simple as possible, avoiding authentication dialogs whenever possible. Basic authentication with cleartext credentials should be avoided in this installation. ntlm fallback is OK. Popups you are trying to avoid is a browser feature. It is 100% up to the client to use the password manager and/or operating system settings which prevent it being needed. Nothing you do with Squid will prevent it if they have their settings tuned to require it. Squid simply requires credentilas to be delivered by the browser, single-sign-on works just as silently and easily (from a UX perspective) with Basic auth as with NTLM. The only reason to avoid Basic is its low security level and NTLM has security holes that make it almost equally low. I see that for windows AD authentication, kerberos and negotiate seem to be the modern choice. My confusion begins where the squid wiki says: Authentication helpers which perform the grunt work: - ntlm_auth from Samba 4 with the --helper-protocol=gss-spnego parameter - negotiate_wrapper or squid_kerb_auth by Markus Moeller I did a few tests with ntlm_auth from samba4, and it seems to work, with some residual problems with firefox and PCs not joined in the domain, and an extra authentication popup at the beginning from IE. I didn't get to the point of having a working negotiate_wrapper / squid_kerb_auth config, being still confusing about hostnames, principals, redundancy, failover, ntlm fallback with winbindd. So before I dig into the details of what I'm seeing, I am wondering if maybe one of the two alternatives has became a de facto standard over the other, and so I should study and test it alone, or if they are both actively deployed, and so I should study and test both to see what fits better to me. LM is a security protocol with lots of different mechanisms added over the years. The last two mechanisms added in the 1990's and were labeled NTLMv1 and NTLMv2, and the whole system has collectively become known as NTLM due to marketing abstractions. Kerberos is a newer mechanism designed a lot more like SSL with client certificates and is a lot more secure in a several ways. It is also designed to work a lot more efficiently by having the client pre-assigned a keytab/certificate/token and avoid the horrible setup handshakes NTLM does in order to send the client a token. It also uses the Negotiate auth mechanism in HTTP instead of the NTLM one - but both Kerberos and NTLM can be transmitted over the Negotiate mechanism and the Squid tool negtiate_wrapper is used to identify which one the client is using. If you have a choice pick Negotiate/Kerberos. But there is still software out there that only supports NTLM so that will determine whether or not you can do entirely without it. Some such as IE will try to use Negotiate/NTLM which requires the negotiate_wrapper helper to be used by Squid. The Squid helpers tools: * The negotiate_wrapper tool provided by Squid supports splitting Negotiate auth traffic between a pair of NTLM-only and Kerberos-only helpers. It does not do any auth itself but maintains the stateful session links between client and sub-helper. * The ntlm_auth / ntlm_smb_lm_auth provided by Squid only does old LM mechanisms and NTLMv1 would work because it allowed automatic down-grade of the security level to one of those broken (8-bit security!) mechanisms. We prefer people *not* use these anymore since the old mechanisms are highly dangerous nowdays and can literally be broken in real-time. * The ntlm_auth tool provided by Samba supports proper NTLMv1, NTLMv2 and maybe Kerberos. It also seems to prefer upgrading clients to using NTLMv2 security extensions when possible. The Samba developers have a focus on MS software systems and interoperating with them so their tool is prefered by most for use with ActiveDirectory, and will often have the best compatibility with newer MS changes to AD. * The negotiate_kerberos_auth helper provided by Squid only supports Kerberos. It seems to be best for dealing with Kerberos authentication in non-AD systems as it is built using the same public libraries for Kerberos that such systems are themselves usually built against (almost guaranteed compatibility). Hope this clarifies everything for you. Amos
Re: [squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?
Hi. On 15.07.2013 23:02, Michele Bergonzoni wrote: I did a few tests with ntlm_auth from samba4, and it seems to work, with some residual problems with firefox and PCs not joined in the domain, and an extra authentication popup at the beginning from IE. I didn't get to the point of having a working negotiate_wrapper / squid_kerb_auth config, being still confusing about hostnames, principals, redundancy, failover, ntlm fallback with winbindd. Actually, you should implement all the schemes - NTLM/SPNEGO/Basic for some obvious reasons: - in a corporate environment there will be definitely machines which switch from Negotiate to NTLM, so you have to handle both - you can leave only NTLM (and Basic), but this becomes more and more outdated - there will be tons of software that can perform only basic authentication, like various IMs and third-party software - there will be some software that claims it's capable of NTLM but in fact it will have only basic - so far I'm using PAM to handle Basic auth and to reroute it back in winbind - squid has a bunch of great helpers that work with AD, and the most cool and modern one is the external kerberos group helper, which supports nested groups (thanks, Markus !) I don't have digest auth in my environment, and for past 13 years I don't see why I should. Eugene.
Re: [squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?
My sincere thanks to Amos for his deep insight and to Eugene for his practical advice. This was of great help for me, and I think will help future googlers as well. Amos says: Popups you are trying to avoid is a browser feature. It is 100% up to the client to use the password manager and/or operating system settings which prevent it being needed. You're right of course. Having no control over PC settings, I will try to find the combination of offered mechanisms that gives the best result, with the existing set of PCs and OSs. NTLMv1 would work because it allowed automatic down-grade of the security level to one of those broken (8-bit security!) mechanisms Argghh... I didn't realize it was so broken. Hope this clarifies everything for you. Yes, thank you a lot. I see it's not an obvious choice and I want to meditate some more, for now it seems that samba4 ntlm_auth + [some helper for authorization] could be my choice. I will try to keep basic auth clients in some kind of ghetto and never worry about digest auth. I will share here my final and tested configuration. Thanks again, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate
[squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?
I would like to hear your advice about kerberos auth configuration on a new installation. This will be an installation with two redundant Linux based servers, clients will be mostly windows joined to active directory, with AD users logged in. The main focus of the installation is authentication and per-group or per-user policy. I would like to keep user experience as simple as possible, avoiding authentication dialogs whenever possible. Basic authentication with cleartext credentials should be avoided in this installation. ntlm fallback is OK. I see that for windows AD authentication, kerberos and negotiate seem to be the modern choice. My confusion begins where the squid wiki says: Authentication helpers which perform the grunt work: - ntlm_auth from Samba 4 with the --helper-protocol=gss-spnego parameter - negotiate_wrapper or squid_kerb_auth by Markus Moeller I did a few tests with ntlm_auth from samba4, and it seems to work, with some residual problems with firefox and PCs not joined in the domain, and an extra authentication popup at the beginning from IE. I didn't get to the point of having a working negotiate_wrapper / squid_kerb_auth config, being still confusing about hostnames, principals, redundancy, failover, ntlm fallback with winbindd. So before I dig into the details of what I'm seeing, I am wondering if maybe one of the two alternatives has became a de facto standard over the other, and so I should study and test it alone, or if they are both actively deployed, and so I should study and test both to see what fits better to me. I will very much appreciate your suggestions and experiences. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate
[squid-users] Advice regarding Squid Vs regular Apache
Hey, Using Squid for some time now (reverse) to speed up my web page for my clients. While I simply purge my HTML files to make Squid come back and take 'em, can't I just rsync them over to a local apache, instead of Squid? That way I will even save the first request (all the files will simply be there), save all the over-head and IMS requests and everything. I would simply copy my files over upon every update and save them in the local file system. I don't even need mod_cache or anything. Other than maybe serving cached objects off memory and enabling cache_peers for faster replies, why would I need Squid? I'm just trying to find the best solution for my site, which isn't that difficult cache-wise. Would like to hear advice from anyone :) Thanks, V'
Re: [squid-users] Advice regarding Squid Vs regular Apache
2010/5/16 Reverse Squid reversesq...@gmail.com: Hey, Using Squid for some time now (reverse) to speed up my web page for my clients. While I simply purge my HTML files to make Squid come back and take 'em, can't I just rsync them over to a local apache, instead of Squid? That way I will even save the first request (all the files will simply be there), save all the over-head and IMS requests and everything. I would simply copy my files over upon every update and save them in the local file system. I don't even need mod_cache or anything. Other than maybe serving cached objects off memory and enabling cache_peers for faster replies, why would I need Squid? Once I maintained 200+ Squid boxes for reverse proxies. No squid, but copying files each by each with those number of physics servers? That's a horrible job. Also Squid answers most objects from its memory, that's faster than from disk like Apache does. If your squid box is far away from original server, then using a suitable cache_peer cluster is worth a try. -- Tech support agency in China http://duxieweb.com/
Re: [squid-users] Advice regarding Squid Vs regular Apache
2010/5/16 Reverse Squid reversesq...@gmail.com: Perhaps I will get better caching results simply with an apache. That way there is no IMS, no overhead. That's it. What do you think? Hi, A simple case, each squid box I maintained the concurrent connections could be around 3. But for Apache you can't get that number of connections at the same time. For small objects Squid is faster and more effective than Apache. But for large files like videos you may consider other solution, for example, lighttpd for serving them. -- Tech support agency in China http://duxieweb.com/
Re: [squid-users] Advice regarding Squid Vs regular Apache
Reverse Squid wrote: Thanks Jeff. With that many Squid server it will become more of a headache than anything else. But what about with 4 servers? in different locations around the globe, so cache_peer is not an option (high latency). Latency is much the same, whether sync'ing four global web servers or sync'ing four global caches. When you think about it, the web server is merely a file cache with different storage format than Squid. Then again, Squid only fetches objects as needed. So a file can be altered twice in a day and never be fetched between. Compared to it being rsync'ed twice without being used. As I said, Squid has a huge advantage due to it's ability to cache in memory, but other than that? Well, its a fairly nasty headache to create CDN using apache and mod_proxy. Perhaps I will get better caching results simply with an apache. That way there is no IMS, no overhead. That's it. IMS only happen when objects are thought to be stale. So short-lived objects are the biggest drag and getting them to all points of the network on time is always a big problem whether by rsync or not. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] Advice/help needed with setting up a SquidNT accelerator
Looking for some help with a system setup Its a remote location, with limited resources and the only type of connection is by satellite respectively. Here's the specifications: Two satellites - Two 4 MB / 512. Contention Rates of 10:1 Dual wan router - Draytek Gateway server - looking to have a reverse proxy, with traffic flow control software. limited resources so I have to use SquidNT. I do have software available which I intend to use to make it transparent to users. What I would like to do is be able to cache multiple websites and have them accelerated after first time view. Looking for examples on how to config SquidNT or the appropriate steps in setting up such a server. If need be, i can run multiple instances of squid to achieve this, kind of hoping that the conf file can address multiple websites. If someone has a copy of something similar to this, I would greatly appreciate it. Server Specs: Windows Server 2003 2.8 GHz Processor - Intel Pentium 4 800 FSB 4 GB RAM - DDR 400 1 TB storage - Hotswap and Raid configured Two ethernet ports. - 10/100 and 10/100/1000 The Purpose: To provide Internet Access better than what the locals are providing to approximately 100 Military Members for a reasonable price. _ Hotmail® has ever-growing storage! Don’t worry about storage limits. http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009
Re: [squid-users] Advice/help needed with setting up a SquidNT accelerator
Zach Albrecht wrote: Looking for some help with a system setup Its a remote location, with limited resources and the only type of connection is by satellite respectively. Here's the specifications: Two satellites - Two 4 MB / 512. Contention Rates of 10:1 Dual wan router - Draytek Gateway server - looking to have a reverse proxy, with traffic flow control software. limited resources so I have to use SquidNT. I do have software available which I intend to use to make it transparent to users. Anything currently being sourced as SquidNT is either an extremely obsolete version or one of the known untrustworthy fakes floating around. Please ensure you have a current and correct official Squid package for Windows. These are presently available only from Acme Consulting (http://squid.acmeconsulting.it/) As for being transparent, thats one natural outcome of a properly operating reverse-proxy. No other special software needed. What I would like to do is be able to cache multiple websites and have them accelerated after first time view. Looking for examples on how to config SquidNT or the appropriate steps in setting up such a server. If need be, i can run multiple instances of squid to achieve this, kind of hoping that the conf file can address multiple websites. If someone has a copy of something similar to this, I would greatly appreciate it. Any of the current Squid can handle any number of websites easily. With the official Squid builds the release notes have some details about their requirements on Windows and the Wiki documentation is all relevant. http://wiki.squidcache.org/ConfigExamples (Reverse proxy section). Server Specs: Windows Server 2003 2.8 GHz Processor - Intel Pentium 4 800 FSB 4 GB RAM - DDR 400 1 TB storage - Hotswap and Raid configured :( hope its very fast hardware RAID and not software. http://wiki.squid-cache.org/SquidFaq/RAID Two ethernet ports. - 10/100 and 10/100/1000 The Purpose: To provide Internet Access better than what the locals are providing to approximately 100 Military Members for a reasonable price. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
[squid-users] advice
Hi all, a few weeks ago I got the task of setting up squid for my company. I had a network of 94 employee to set this up for ... I never heard of squid before to b honest, so after researching a bit.. I decided to setup Squid on centos server with wccp /cisco router 2811 though that didn't work out as my cisco ios had a bug tht prevented using wccp with it.. so I went at setting up two squid servers as our network's gateway with heartbeart failover solution.. with cisco 2811 in the background facing the internet. though that caused a prob for employees connecting through cisco vpn client, as they had to change their browser settings manually each time. I admit I went at this the wrong way.. as I mentioned I never heard of squid before so instead of reading about it I plunged straight into it.. so now It's time to learn about squid the right way as I had lots of help setting it up from this mailing list.. so not to add more to my email, I'm seeking advice about the proper way to learn about squid from A to Z if possible... any advice would be appreciated thanks in advance, Roland
RE: [squid-users] Advice on private keys and SSL
That is exactly what I needed to know. Thank you very much! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, April 15, 2006 1:11 PM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Advice on private keys and SSL lör 2006-04-15 klockan 10:07 -0700 skrev Discussion Lists: Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? Lets put it this way: Normaly you have one key per certificate, and also generate a new key each time the certificate is renewed, and there is no reason not to. I know of only a single situation where one would consider using the same key for multiple certificates and it's if using an RSA accelerator which can not handle multiple keys. But given the fact that even entry level RSA accelerator chips for SSL doesn't have any practical restrictions on the number of RSA keys I doubt you will run into such situation.. Similarly I know of only one situation where one would like to keep the same key on a certificate renewal and it's if the key is somehow recorded into restricted hardware and not easy to change. So while it is true that technically you can use the same key for all certificates if you want to generally it's best to use unique keys per certificate. Regards Henrik
[squid-users] Advice on private keys and SSL
All, Suppose I am using V3 Squid, and I have multiple SSL directives to reverse-proxy multiple domains. I am sorta new to the whole SSL certificate process so forgive the uninformed question here. Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? In other words is it better to use a single key to obtain certificates from, or have multiple keys, one for each certificate? I would assume choice B is the answer, but I just wanted to be sure. TIA!
Re: [squid-users] Advice on private keys and SSL
lör 2006-04-15 klockan 10:07 -0700 skrev Discussion Lists: Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? Lets put it this way: Normaly you have one key per certificate, and also generate a new key each time the certificate is renewed, and there is no reason not to. I know of only a single situation where one would consider using the same key for multiple certificates and it's if using an RSA accelerator which can not handle multiple keys. But given the fact that even entry level RSA accelerator chips for SSL doesn't have any practical restrictions on the number of RSA keys I doubt you will run into such situation.. Similarly I know of only one situation where one would like to keep the same key on a certificate renewal and it's if the key is somehow recorded into restricted hardware and not easy to change. So while it is true that technically you can use the same key for all certificates if you want to generally it's best to use unique keys per certificate. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Advice on performance
On 02.06 21:31, squid squid wrote: Thank you for the advise. All the servers are also running apache as web and BIND as dns service. # of them on RedHat Linux and has 2GB RAM. The other on Solaris 8 and has 256MB RAM. that's a very big difference. Is the fourth server fast enough to run it at all? (could have at least more memory) I will have the changes for items such as cahce_mem, etc made asap. However pls advise how do I configure them as neighbours??? I am also using them for proxy purposes and no disk caching. Regards. - turn on ICP icp_port 3130 on each squid set up cache_peer for all other caches: cache_peer first-another-cache 3128 3130 proxy-only cache_peer second-another-cache 3128 3130 proxy-only cache_peer third-another-cache 3128 3130 proxy-only (I hope they are connected with fast link) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: [squid-users] Advice on performance
On 01.06 19:09, squid squid wrote: The general info and squid.conf for my 4 squid servers as follows: useless. Pls advise how is their performance and any tuning needed in order to have better performance. Squid.conf (identical for all servers) # NETWORK OPTIONS http_port 3128 icp_port 0 why did you turn off ICP? Turn it on and configure all caches as neighbours to each other. You will spare much of network bandwidth. # OPTIONS WHICH AFFECT THE CACHE SIZE cache_mem 10 MB unless you are low on memory, increase this. If you are low on memory, get more memory and increase this after. maximum_object_size 1024 KB too low, I cache objects up to 32 MB. However that is highly dependant on cache size. maximum_object_size_in_memory 1024 KB too high, I have 128KB to have more object with smaller sizes in memory # LOGFILE PATHNAMES CACHE DIRECTORIES # Setting for null storage to avoid having a cache directory cache_dir null /export/home/log/squid/null in such case, I understand why you have damn low efficiency. Your cache is 4 x 10 MB of ram and they are even not shared (via neighbour proxies). get some disks # OPTIONS FOR TUNING THE CACHE request_header_max_size 5 KB low. the default is 20KB for now negative_ttl 5 minutes positive_dns_ttl 30 minutes negative_dns_ttl 1 minutes use internal DNS and that will make these useless. (DNS system has its own timeouts configured by admins of remote sites that are probably better than your values) # HTTPD-ACCELERATOR OPTIONS # For Squid to run as transparent proxy httpd_accel_uses_host_header on do you use it as cache for outgoing requests or as HTTP accelerator? in both cases bigger cache_mem is useful (and configuring all proxies as neighbours too), in the first case big disks are important (some disk cache may help you even when using squids as accelerators). # MISCELLANEOUS memory_pools off remove this (default is on) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: [squid-users] Advice on performance
Hi, Thank you for the advise. All the servers are also running apache as web and BIND as dns service. # of them on RedHat Linux and has 2GB RAM. The other on Solaris 8 and has 256MB RAM. I will have the changes for items such as cahce_mem, etc made asap. However pls advise how do I configure them as neighbours??? I am also using them for proxy purposes and no disk caching. Regards. From: Matus UHLAR - fantomas [EMAIL PROTECTED] To: squid-users@squid-cache.org Subject: Re: [squid-users] Advice on performance Date: Thu, 2 Jun 2005 10:47:26 +0200 On 01.06 19:09, squid squid wrote: The general info and squid.conf for my 4 squid servers as follows: useless. Pls advise how is their performance and any tuning needed in order to have better performance. Squid.conf (identical for all servers) # NETWORK OPTIONS http_port 3128 icp_port 0 why did you turn off ICP? Turn it on and configure all caches as neighbours to each other. You will spare much of network bandwidth. # OPTIONS WHICH AFFECT THE CACHE SIZE cache_mem 10 MB unless you are low on memory, increase this. If you are low on memory, get more memory and increase this after. maximum_object_size 1024 KB too low, I cache objects up to 32 MB. However that is highly dependant on cache size. maximum_object_size_in_memory 1024 KB too high, I have 128KB to have more object with smaller sizes in memory # LOGFILE PATHNAMES CACHE DIRECTORIES # Setting for null storage to avoid having a cache directory cache_dir null /export/home/log/squid/null in such case, I understand why you have damn low efficiency. Your cache is 4 x 10 MB of ram and they are even not shared (via neighbour proxies). get some disks # OPTIONS FOR TUNING THE CACHE request_header_max_size 5 KB low. the default is 20KB for now negative_ttl 5 minutes positive_dns_ttl 30 minutes negative_dns_ttl 1 minutes use internal DNS and that will make these useless. (DNS system has its own timeouts configured by admins of remote sites that are probably better than your values) # HTTPD-ACCELERATOR OPTIONS # For Squid to run as transparent proxy httpd_accel_uses_host_header on do you use it as cache for outgoing requests or as HTTP accelerator? in both cases bigger cache_mem is useful (and configuring all proxies as neighbours too), in the first case big disks are important (some disk cache may help you even when using squids as accelerators). # MISCELLANEOUS memory_pools off remove this (default is on) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse _ Get an advanced look at the new version of MSN Messenger. http://messenger.msn.com.sg/Beta/Default.aspx
[squid-users] Advice on performance
The general info and conf of my 4 squid servers as follow: Kindly advise any tuning required for the servers to have better performance. Thank you. [EMAIL PROTECTED] bin]# ./squidclient mgr:info HTTP/1.0 200 OK Server: squid/2.5.STABLE10 Mime-Version: 1.0 Date: Wed, 01 Jun 2005 10:35:05 GMT Content-Type: text/plain Expires: Wed, 01 Jun 2005 10:35:05 GMT Last-Modified: Wed, 01 Jun 2005 10:35:05 GMT X-Cache: MISS from squidsvr1.inet Proxy-Connection: close Squid Object Cache: Version 2.5.STABLE10 Start Time: Tue, 31 May 2005 16:00:42 GMT Current Time: Wed, 01 Jun 2005 10:35:05 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 1124902 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 1009.4 Average ICP messages per minute since start:0.0 Select loop called: 11453706 times, 5.838 ms avg Cache information for squid: Request Hit Ratios: 5min: 0.0%, 60min: 0.0% Byte Hit Ratios:5min: 0.8%, 60min: 0.5% Request Memory Hit Ratios: 5min: 0.0%, 60min: 0.0% Request Disk Hit Ratios:5min: 0.0%, 60min: 0.0% Storage Swap size: 0 KB Storage Mem size: 4 KB Mean Object Size: 0.00 KB Requests given to unlinkd: 0 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.02592 0.02742 Cache Misses: 0.02592 0.02899 Cache Hits:0.0 0.0 Near Hits: 0.0 0.0 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.00094 0.00190 ICP Queries: 0.0 0.0 Resource usage for squid: UP Time:66862.278 seconds CPU Time: 2567.370 seconds CPU Usage: 3.84% CPU Usage, 5 minute avg:0.76% CPU Usage, 60 minute avg: 2.23% Process Data Segment Size via sbrk(): 29949 KB Maximum Resident Size: 0 KB Page faults with physical i/o: 330 Memory usage for squid via mallinfo(): Total space in arena: 29949 KB Ordinary blocks:10648 KB 5588 blks Small blocks: 0 KB 0 blks Holding blocks: 1572 KB 1 blks Free Small blocks: 0 KB Free Ordinary blocks: 19300 KB Total in use: 12220 KB 39% Total free: 19300 KB 61% Total size: 31521 KB Memory accounted for: Total accounted: 7140 KB memPoolAlloc calls: 131246012 memPoolFree calls: 131205714 File descriptor usage for squid: Maximum number of file descriptors: 8192 Largest file desc currently in use:122 Number of file desc currently in use: 41 Files queued for open: 0 Available number of file descriptors: 8151 Reserved number of file descriptors: 100 Store Disk files open: 0 Internal Data Structures: 3 StoreEntries 3 StoreEntries with MemObjects 0 Hot Object Cache Items 0 on-disk objects [EMAIL PROTECTED] == ./squidclient mgr:info HTTP/1.0 200 OK Server: squid/2.5.STABLE10 Mime-Version: 1.0 Date: Wed, 01 Jun 2005 10:37:12 GMT Content-Type: text/plain Expires: Wed, 01 Jun 2005 10:37:12 GMT Last-Modified: Wed, 01 Jun 2005 10:37:12 GMT X-Cache: MISS from squidsvr2.inet Proxy-Connection: close Squid Object Cache: Version 2.5.STABLE10 Start Time: Tue, 31 May 2005 20:20:14 GMT Current Time: Wed, 01 Jun 2005 10:37:12 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 3172930 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 3702.5 Average ICP messages per minute since start:0.0 Select loop called: 2748567 times, 18.707 ms avg Cache information for squid: Request Hit Ratios: 5min: 0.0%, 60min: 0.0% Byte Hit Ratios:5min: 0.3%, 60min: 0.2% Request Memory Hit Ratios: 5min: 0.0%, 60min: 0.0% Request Disk Hit Ratios:5min: 0.0%, 60min: 0.0% Storage Swap size: 0 KB Storage Mem size: 88 KB Mean Object Size: 0.00 KB Requests given to unlinkd: 0 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03066 0.03427 Cache Misses: 0.03066 0.03427 Cache Hits:0.0 0.0 Near Hits: 0.0 0.0 Not-Modified Replies: 0.0 0.0 DNS
[squid-users] Advice on performance
The general info and squid.conf for my 4 squid servers as follows: Pls advise how is their performance and any tuning needed in order to have better performance. Thank you. [EMAIL PROTECTED] bin]# ./squidclient mgr:info HTTP/1.0 200 OK Server: squid/2.5.STABLE10 Mime-Version: 1.0 Date: Wed, 01 Jun 2005 10:35:05 GMT Content-Type: text/plain Expires: Wed, 01 Jun 2005 10:35:05 GMT Last-Modified: Wed, 01 Jun 2005 10:35:05 GMT X-Cache: MISS from squidsvr1.inet Proxy-Connection: close Squid Object Cache: Version 2.5.STABLE10 Start Time: Tue, 31 May 2005 16:00:42 GMT Current Time: Wed, 01 Jun 2005 10:35:05 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 1124902 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 1009.4 Average ICP messages per minute since start:0.0 Select loop called: 11453706 times, 5.838 ms avg Cache information for squid: Request Hit Ratios: 5min: 0.0%, 60min: 0.0% Byte Hit Ratios:5min: 0.8%, 60min: 0.5% Request Memory Hit Ratios: 5min: 0.0%, 60min: 0.0% Request Disk Hit Ratios:5min: 0.0%, 60min: 0.0% Storage Swap size: 0 KB Storage Mem size: 4 KB Mean Object Size: 0.00 KB Requests given to unlinkd: 0 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.02592 0.02742 Cache Misses: 0.02592 0.02899 Cache Hits:0.0 0.0 Near Hits: 0.0 0.0 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.00094 0.00190 ICP Queries: 0.0 0.0 Resource usage for squid: UP Time:66862.278 seconds CPU Time: 2567.370 seconds CPU Usage: 3.84% CPU Usage, 5 minute avg:0.76% CPU Usage, 60 minute avg: 2.23% Process Data Segment Size via sbrk(): 29949 KB Maximum Resident Size: 0 KB Page faults with physical i/o: 330 Memory usage for squid via mallinfo(): Total space in arena: 29949 KB Ordinary blocks:10648 KB 5588 blks Small blocks: 0 KB 0 blks Holding blocks: 1572 KB 1 blks Free Small blocks: 0 KB Free Ordinary blocks: 19300 KB Total in use: 12220 KB 39% Total free: 19300 KB 61% Total size: 31521 KB Memory accounted for: Total accounted: 7140 KB memPoolAlloc calls: 131246012 memPoolFree calls: 131205714 File descriptor usage for squid: Maximum number of file descriptors: 8192 Largest file desc currently in use:122 Number of file desc currently in use: 41 Files queued for open: 0 Available number of file descriptors: 8151 Reserved number of file descriptors: 100 Store Disk files open: 0 Internal Data Structures: 3 StoreEntries 3 StoreEntries with MemObjects 0 Hot Object Cache Items 0 on-disk objects [EMAIL PROTECTED] == ./squidclient mgr:info HTTP/1.0 200 OK Server: squid/2.5.STABLE10 Mime-Version: 1.0 Date: Wed, 01 Jun 2005 10:37:12 GMT Content-Type: text/plain Expires: Wed, 01 Jun 2005 10:37:12 GMT Last-Modified: Wed, 01 Jun 2005 10:37:12 GMT X-Cache: MISS from squidsvr2.inet Proxy-Connection: close Squid Object Cache: Version 2.5.STABLE10 Start Time: Tue, 31 May 2005 20:20:14 GMT Current Time: Wed, 01 Jun 2005 10:37:12 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 3172930 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 3702.5 Average ICP messages per minute since start:0.0 Select loop called: 2748567 times, 18.707 ms avg Cache information for squid: Request Hit Ratios: 5min: 0.0%, 60min: 0.0% Byte Hit Ratios:5min: 0.3%, 60min: 0.2% Request Memory Hit Ratios: 5min: 0.0%, 60min: 0.0% Request Disk Hit Ratios:5min: 0.0%, 60min: 0.0% Storage Swap size: 0 KB Storage Mem size: 88 KB Mean Object Size: 0.00 KB Requests given to unlinkd: 0 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03066 0.03427 Cache Misses: 0.03066 0.03427 Cache Hits:0.0 0.0 Near Hits: 0.0 0.0 Not-Modified Replies:
Re: [squid-users] advice for proxy architecture
Thanks for these advices. I've thought that it was better to have dedicated proxys (internal for authentication and intranet access, external for internet access) to distribute functions and cache capacities. But I am going to consider your opininon. However, if i only use internal proxies, is there any risk (such as hijacking) to have some direct communication from my Lan server to Internet ? Security is for me (as for everyone) a big constraint in our context. On 14.01 11:49, [EMAIL PROTECTED] wrote: Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet the second one is easier and you won't get any benefit of the external proxy. Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) no. or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!. --
Re: [squid-users] advice for proxy architecture
On 14.01 11:49, [EMAIL PROTECTED] wrote: Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet the second one is easier and you won't get any benefit of the external proxy. Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) no. or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
[squid-users] advice for proxy architecture
Hello to all, Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? Thanks by advance for your help. Lionel
RE: [squid-users] advice for proxy architecture
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 14, 2005 1:50 AM To: squid-users@squid-cache.org Subject: [squid-users] advice for proxy architecture Hello to all, Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? Thanks by advance for your help. Lionel From my experience, parent proxies give diminishing returns. The customer premise proxies are achieving ~50% hit rates (both byte and request), but the central parent proxies struggle to achieve 15% hit and almost never rise above 5% byte. OTOH, the central servers would not be hurt (and would likely be greatly helped) by increasing their cache space. YMMV. As for security, the more boxes you have, the more targets you have for attack, and dependant on your firewall setup, putting boxes outside the firewall just makes them more vulnerable. Without knowing the exact details of your situation, I would advise keeping it simple (go with architecture 2). Chris
[squid-users] Advice on squidGuard
Hello all, I know this is a mailing list for squid, but as squidGuard is a plugin for squid I am soliciting advice. Details: Running squid 2.5 stable6 on Fedora core 1, in a chroot jail. Question: Should I instal squidGuard on the Jail volume or will it wouk with squid installed off of the jailed volume? -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje está para el recipiente señalado solamente y puede contener la información privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohíbe. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
[squid-users] advice 2 proxies for load sharing
Hi I managed to configure 2 squid boxes running on RH8 with wccp inconjunction with a cisco router. Can somebody please tell me the configuration on how can I make both proxies check if a page is in the other one's cache before downloading it again ie some sort of cache peering between them Regards Chris
Re: [squid-users] advice 2 proxies for load sharing
Chris Debono wrote: Hi I managed to configure 2 squid boxes running on RH8 with wccp inconjunction with a cisco router. Can somebody please tell me the configuration on how can I make both proxies check if a page is in the other one's cache before downloading it again ie some sort of cache peering between them Check cache_peer directive in squid.conf.default. Read all the comments completely. M. Regards Chris -- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)