Re: [squid-users] Sibling peers not talking to each other

From: Chris Robertson <crobertson_at_gci.net>
Date: Fri, 05 Jun 2009 13:49:52 -0800

Jeff Rigby wrote:
> Hello,
>
> I've just set up my first Squid server. So far I've been very impressed with
> the performance. I would have been lost without this list so thanks for all
> your help.
>
> My config seems to work, but the peers are not talking to each other at all
> and I was hoping that someone on this (extremely helpful) list can help me
> out. Here are the parameters:
>
> - 3 Squid servers running in accelerator mode
>

What version? All my responses assume at least 2.6.

> - Each server has its own cache (I have plenty of space available)
> - 3 web servers
> - 3 different domains are served by these servers (domain.com,
> test.domain.com, dev.domain.com) and each goes to a different origin server.
>

I'm assuming (from the config below) that you mean there are three
domains, all of which are hosted on all three of the origin servers, but
currently, each Squid server is assigned its own origin server.

> - I want the Squid servers to query each other before going to the parent
> (this is not working)
> - I have set up the peers as siblings (not sure if this is correct)
> - Each server has a different origin server defined (webserver 1, 2, 3
> respectively)
> - I pretty much always want to serve from the cache regardless of header (We
> enforce unique file names)
> - This server only serves jpg, png, gif, js, css, and txt
>
> So I have four questions:
>
> 1. Is it possible to round robin the origin server instead of defining
> different IPs for each server?
>

Yes. But I'm not sure you are going to be able to do it with the setup
you have. To be honest, I'm amazed your setup is working...

> 2. How can I make the servers talk to each other, before hitting the origin
> server?
>

Setting them up as siblings, and allowing icp access. That much looks
correct.

> 3. Is there anything else odd in my configuration?
>

Oh yeah... We'll get to that. ;o)

> 4. How can I block all other file types besides images, js, css, txt. I know
> this can be done with an acl but thus far I haven't figured it out.
>

Block them how? Deny caching of other file types? Block replies from
the origin servers that are not identified as one of the above mentioned
files types? Block requests for objects that are not one of those file
types? Clarify this point and I'd be happy to give advice.

> Here are the IPs:
> Squid 1: 10.155.0.90:80 -> Webserver 1: 10.155.0.101 Squid 2: 10.155.0.91:80
> -> Webserver 1: 10.155.0.102 Squid 3: 10.155.0.92:80 -> Webserver 1:
> 10.155.0.103
>

Something really bad happened with the line wrapping of the config. I
think I've got it parsed correctly...

> Squid 1 Config:
> visible_hostname img1.squid_server.com
> dns_nameservers 10.155.0.240 10.155.0.241

Squid does a pretty good job of using the host OS settings for DNS
servers. Usually this directive is not needed.

> cache_effective_user squid
> cache_effective_group squid

As long as the user "squid" is a member of the group "squid"
cache_effective_group is not needed (and if the user is not a member of
the group, that should be fixed).

> http_port 127.0.0.1:3128 accel defaultsite=localhost vhost
> http_port 10.155.0.90:80 accel defaultsite=squid_server.com vhost

Is there something running on localhost port 80? If not, consolidate
these two lines to just "http_port 80 accel defaultsite=domain.com
vhost" and use localhost port 80 for cache_mgr queries. In any case,
defaultsite should be set to the default FQDN you wish to direct
visitors to if the HTTP request doesn't contain a Host header
(www.domain.com, test.domain.com or dev.domain.com).

> cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
> forceddomain=www.domain.com name=prod
> cache_peer_domain prod squid_server.com www.squid_server.com

Here's where things get really weird. Have a gander at
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting. No
really... I'll wait.

Notice how it's not specified how many domains the origin server hosts,
but there's only ONE cache_peer line? Notice how, in a vhost setup,
forceddomain is not used... Both by design.

> cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange
> forceddomain=test.domain.com name=test
> cache_peer_domain test test.squid_server.com
> cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-netdb-exchange forceddomain=dev.domain.com name=dev
> cache_peer_domain dev dev.squid_server.com

Replace all the cache_peer and cache_peer_domain lines to this point with...

cache_peer 10.155.0.101 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin
cache_peer 10.155.0.102 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin
cache_peer 10.155.0.103 parent 80 0 no-query no-digest no-netdb-exchange
originserver round-robin

If you really don't mind round-robin requests (which for an image/js/css
server you wouldn't) it's the simplest choice, otherwise you could use
sourcehash for client-server affinity. As I'll mention again later,
you really don't want to use cache_peer access or cache_peer_domain in
your setup. It's only relevant when you have different content on the
back-end servers.

> cache_peer 10.155.0.91 sibling 80 3130 allow-miss no-netdb-exchange name=squid2

You might want to drop the no-netdb-exchange from the sibling lines.
Especially if you decide to leave query_icmp enabled...

> cache_peer 10.155.0.92 sibling 80 3130 allow-miss no-netdb-exchange name=squid3
>
> #headers
> reply_header_access Cache-Control deny all
> header_replace Cache-Control max-age=1209600
> refresh_pattern . 0 50% 1209600 ignore-no-cache override-expire override-lastmod reload-into-ims ignore-reload
> ignore-no-store ignore-private
> reload_into_ims on
>
> #ICP
> query_icmp on
>

Since all your servers are on the same LAN, don't bother with the ICMP
queries.

> icp_port 3130
> udp_incoming_address 10.155.0.90
>

Setting udp_incoming_address will prevent using this IP for
udp_outgoing_address. Leave it the default, unless you have multiple
interfaces, some which SHOULD NOT receive UDP data.

> # Basic ACLs
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl mydomain dstdomain .domain.com .squid_server.com localhost .external.alliedadvpub.com
> acl localnet src 10.0.0.0/16
> acl Safe_ports port 80 # http
> acl Safe_ports port 3128 # admin
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow mydomain
>
> http_access deny all
>

Access controls handled... If you decide just to use port 80, you can
remove 3128 from Safe_ports.

>
> icp_access allow localnet
> icp_access deny all
>
>

Drop all of these cache_peer_access lines. You want to have the freedom
to query any of your peers for any request.

> cache_peer_access prod allow mydomain
> cache_peer_access prod deny all
> cache_peer_access test allow mydomain
> cache_peer_access test deny all
> cache_peer_access dev allow mydomain
> cache_peer_access dev deny all
>
> #cache_peer_access squid1 allow mydomain localnet
> #cache_peer_access squid1 deny all
> cache_peer_access squid2 allow mydomain localnet
> cache_peer_access squid2 deny all
> cache_peer_access squid3 allow mydomain localnet
> cache_peer_access squid3 deny all

You already defined the icp_access once. It's redundant here. No harm,
just redundant.

> icp_access allow localnet
> icp_access deny all
>
> (other settings removed)
>
> The other configs are exactly the same except the siblings are configure to
> be the other servers and the parent for the main server points to another IP
> (a different webserver).
>
> I'm not seeing anything weird in cache.log. It seems to load the siblings
> but when I look at the cache manger ICP sent and received is 0.
>

I'd have to guess this is related to defining udp_incoming_address, and
nothing else. If you want to make a simple change, just remove that
declaration and see if sibling queries work.

> Jeff
>

Chris
Received on Fri Jun 05 2009 - 21:50:04 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 08 2009 - 12:00:02 MDT