Re: [squid-users] squid as HTTP accelerator : Three questions

> Squid starts as root and then becomes another user.
> It shouldn't pose a security risk - the amount of code running as root
> is very, very minimal.
>
>
>
> adrian
>
> On Wed, Feb 06, 2008, kk CHN wrote:
>> Hi People ;
>>
>> Thanks for your reply , thanks to Adrain Chadds tips .
>> I edited the init script & changed the squid user to root , now its
>> working for port 80 ,
>>
>> I would like to clarify the following Three questions
>>
>> Question 1 ) Is there any security issues for running squid as root
>> ?
>>
>>
>>
>> I am setting up my squid as http accelerator , so squid will handle
>> the request first , then handed over it to Apache (which is now Listen
>> on 81) then from Apache to my zope(which is on port :8080)
>>
>>
>> so what I added in squid is
>>
>> http_prot 80 accel vhost
>>
>> cache_peer 127.0.0.1 parent 81 0 originserver default
>> http_access allow from all
>> ##############
>>
>> my apache Listen on 81
>> and the vhost entry for my site is like this
>>
>> NameVirtualHost *:81
>> <VirtualHost *:81>
>> RewriteEngine On
>> RewriteRule ^/(.*)
>> http://127.0.0.1:8080/VirtualHostBase/http/demo.mysite.net:81/mysite/VirtualHostRoot/$1
>> [L,P]
>> ErrorLog /var/log/apache/demo.mysite.net/error_log
>> CustomLog /var/log/apache/demo.mysite.net/access.log combined
>> </VirtualHost>
>>
>>
>> Previously This site was too slow when I use apache infront of zope
>> , so all request is coming to apche then apache Rewrite rule will hand
>> over the request to zope:8080
>>
>> Now in the new setup squid is infront ,
>>
>> question 2 ) how can I check to make sure the squid is handling all
>> the request first , and so its performance as an http accelerator ?

Make sure the domain DNS points at squid machines IP.
As a backup you can check the apache logs to see if any requests are
coming from other places than squid.

>>
>> question 3) I have a number of VirtualHost (name based) entries in my
>> apache , so running the sqid in front on port :80 , did accelerate
>> the speed of my vhost sites ?

Yes, all the ones squid is configured to accept. With one provision. The
files coming from apache have Cache_Control or Expires headers properly.
Without them squid gives less gain than when present.

>>
>> Looking for your valuable comments on this setup ,
>>
>> I am looking for the pros/cons of this setup squid-->apache-->
>> applications
>>
>> Thanks in advance for your valuable feedback as early as possible
>> KK

Thats what we use here. With a small mix of site bypassing Apache entirely
and going straight squid->application where its a domain-level
application.

We've had no problems with the acceleration bit since starting.

Amos
Treehouse Networks Ltd.
www.treenet.co.nz
Received on Wed Feb 06 2008 - 16:30:50 MST