Re: [squid-users] Squid 3 HTTP accelerator not caching content

From: Tom Williams <tomdkat_at_comcast.net>
Date: Thu, 16 Oct 2008 07:56:40 -0700

Amos Jeffries wrote:
> Tom Williams wrote:
>> Amos Jeffries wrote:
>>>> So, I setup my first Squid 3.0STABLE9 proxy in HTTP accelerator mode
>>>> over the weekend. Squid 3 is running on the same machine as the web
>>>> server and here are my HTTP acceleration related config options:
>>>>
>>>> http_port 80 accel vhost
>>>> cache_peer 192.168.1.19 parent 8085 0 no-query originserver login=PASS
>>>>
>>>>
>>>> Here are the cache related options:
>>>>
>>>> cache_mem 64 MB
>>>> maximum_object_size_in_memory 50 KB
>>>> cache_replacement_policy heap LFUDA
>>>> cache_dir aufs /mnt/drive3/squid-cache 500 32 256
>>>>
>>>> As described in this mailing list thread:
>>>>
>>>> http://www2.gr.squid-cache.org/mail-archive/squid-users/199906/0756.html
>>>>
>>>>
>>>> all of the entries in my store.log have RELEASE as the action:
>>>>
>>>> 1223864638.986 RELEASE -1 FFFFFFFF
>>>> A1FE29E96A44936155BB873BDC882B12 200
>>>> 1223864638 -1 375007920 text/html 2197/2197 GET
>>>> http://aaa.bbb.ccc.ddd/locations/
>>>>
>>>> Here is a snipet from the cache.log file:
>>>>
>>>> 2008/10/12 21:23:36| Done reading /mnt/drive3/squid-cache swaplog (0
>>>> entries)
>>>> 2008/10/12 21:23:36| Finished rebuilding storage from disk.
>>>> 2008/10/12 21:23:36| 0 Entries scanned
>>>> 2008/10/12 21:23:36| 0 Invalid entries.
>>>> 2008/10/12 21:23:36| 0 With invalid flags.
>>>> 2008/10/12 21:23:36| 0 Objects loaded.
>>>> 2008/10/12 21:23:36| 0 Objects expired.
>>>> 2008/10/12 21:23:36| 0 Objects cancelled.
>>>> 2008/10/12 21:23:36| 0 Duplicate URLs purged.
>>>> 2008/10/12 21:23:36| 0 Swapfile clashes avoided.
>>>> 2008/10/12 21:23:36| Took 0.01 seconds ( 0.00 objects/sec).
>>>> 2008/10/12 21:23:36| Beginning Validation Procedure
>>>> 2008/10/12 21:23:36| Completed Validation Procedure
>>>> 2008/10/12 21:23:36| Validated 25 Entries
>>>> 2008/10/12 21:23:36| store_swap_size = 0
>>>> 2008/10/12 21:23:37| storeLateRelease: released 0 objects
>>>> 2008/10/12 21:24:07| Preparing for shutdown after 2 requests
>>>> 2008/10/12 21:24:07| Waiting 30 seconds for active connections to
>>>> finish
>>>> 2008/10/12 21:24:07| FD 14 Closing HTTP connection
>>>> 2008/10/12 21:24:38| Shutting down...
>>>> 2008/10/12 21:24:38| FD 15 Closing ICP connection
>>>> 2008/10/12 21:24:38| aioSync: flushing pending I/O operations
>>>> 2008/10/12 21:24:38| aioSync: done
>>>> 2008/10/12 21:24:38| Closing unlinkd pipe on FD 12
>>>> 2008/10/12 21:24:38| storeDirWriteCleanLogs: Starting...
>>>> 2008/10/12 21:24:38| Finished. Wrote 0 entries.
>>>> 2008/10/12 21:24:38| Took 0.00 seconds ( 0.00 entries/sec).
>>>> CPU Usage: 0.041 seconds = 0.031 user + 0.010 sys
>>>> Maximum Resident Size: 0 KB
>>>> Page faults with physical i/o: 0
>>>> Memory usage for squid via mallinfo():
>>>> total space in arena: 3644 KB
>>>> Ordinary blocks: 3511 KB 8 blks
>>>> Small blocks: 0 KB 1 blks
>>>> Holding blocks: 1784 KB 9 blks
>>>> Free Small blocks: 0 KB
>>>> Free Ordinary blocks: 132 KB
>>>> Total in use: 5295 KB 145%
>>>> Total free: 132 KB 4%
>>>> 2008/10/12 21:24:38| aioSync: flushing pending I/O operations
>>>> 2008/10/12 21:24:38| aioSync: done
>>>> 2008/10/12 21:24:38| aioSync: flushing pending I/O operations
>>>> 2008/10/12 21:24:38| aioSync: done
>>>> 2008/10/12 21:24:38| Squid Cache (Version 3.0.STABLE9): Exiting
>>>> normally.
>>>>
>>>> I'm running on RedHat EL 5. With Squid running, I can access the
>>>> website just fine and pages load without problems or issues. It's
>>>> just
>>>> nothing is being cached.
>>>>
>>>> This is my first time configuring Squid as a HTTP accelerator so I
>>>> probably missed something when I set it up. Any ideas on what
>>>> might be
>>>> wrong?
>>>>
>>>> Thanks in advance for your time and assistance! :)
>>>>
>>>>
>>>
>>> Q) Do you have any of the routing access controls (http_access,
>>> never_direct, cache_peer_access, cache_peer_domain) which make squid
>>> pass
>>> the accelerated requests back to the web server properly?
>>>
>>
>> I have the default http_access options except I have http_access
>> allow all at the end of them:
>
> Ouch. You have a semi-open proxy.
> If anyone identifies your public IP they can point a domain DNS at
> your IP and have it accelerated. Or even configure port 80 as their
> proxy IP and browse through it. A firewall or NAT layer cannot prevent
> this happening.
>
> You should at the very least be limiting requests to the domains you
> are serving.
>
> I prefer a config like the one listed:
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341
>

Thanks for this information. I knew my configuration wasn't secure but
at this point, I don't leave the proxy running except for when I'm
working on it. I'll review the config above and will use it as my test
config from here on out. :)

Thanks!

Peace...

Tom
Received on Thu Oct 16 2008 - 14:56:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT