Re: Proxy-only squid setup (was: Re: Redirecting squid requests

I had a look at setting up proxy-only Squid a while ago, but can't claim great
experience. Most of my comments below are simply from thinking about the
suggestions.

Stewart Forster wrote:
>
> > cache_mem 0
> > # good idea/bad idea? cache_mem always puzzles me
>
> BAD idea. You need cache_mem to at least temporarily store the incoming
> object into before it gets tossed away anyway. Set cache_mem to say 32M.

Unless you're using NOVM... But either way, when I looked briefly at doing
this a while back, I observed that even if Squid was told to cache nothing
and its cache_swap was set to zero, it still wrote the objects into cache
files before immediately discarding them. I thought that using normal Squid
rather than NOVM would mean they just went straight through memory without
the I/O overhead, but that didn't seem to be the case.

> > cache_swap 0
> > # nothing to cache nothing to swap?
>
> Probably also bad. Set it to 32M also. Squid likes to think it has
> stuff to swap into, even if it actually won't need it. You might like to look
> at pointing your swap dir at a tmpfs mounted directory.

Empirically, all objects will be written out anyway, but then deleted, so
the nominal size is zero but in reality space will be used...

tmpfs seems like a bad idea since

(a) the cache/log file will be written there as well and that can grow to
hundreds of megabytes quite quickly (though if nothing is being cached, it's
a waste of space...), and

(b) squid needs a valid cache hierarchy into which to save objects, even
when it is nominally just proxying; if you use tmpfs, the cache directory
structure would need to be rebuilt every time the system was rebooted.

(c) If tmpfs equates to /tmp, beware the security issues relating to
directories writable by anyone and where, in consequence, anyone can try and
sabotage you e.g. by creating symlinks pointing to embarrassing places. Less
of a problem if it's on a dedicated system and/or the software using /tmp
sets things up before the users get a chance to log on. Also, assuming as in
Solaris 2 that tmps is simply some or all of swap space, you could have a
conflict between other activities on the system using swap and making tmpfs
dynamically too small, or conversely the cache (e.g. the cache/log file, but
also the substantial number of directories in the cache structure) eating
into the available swap space...

                                John Line

-- 
University of Cambridge WWW manager account (usually John Line)
Send general WWW-related enquiries to webmaster@ucs.cam.ac.uk