Re: [squid-users] Sibling peers not talking to each other

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 08 Jun 2009 13:42:02 +1200

On Sun, 07 Jun 2009 18:35:07 -0400, Jeff Rigby <jrigby_at_databasepublish.com>
wrote:
> This has been extremely helpful. I'm using Squid 3.0. Thanks so much
> for taking the time to answer my questions. I've taken your advice on
> pretty much everything and it seems a lot better. The round-robin for
> the parents is definitely working well, though I'm still unsure about
> the sibling peers.
>
> 1 .Sibling Servers:
> Now when I request an image that is not available on one of the squid
> servers I get:
> 619 24.166.71.47 TCP_MISS/200 197662 GET http://dev.static.com/
> test.jpg - TIMEOUT_FIRST_UP_PARENT/dev image/jpeg
>
> It still loads the image fine, but I'm not sure what
> TIMEOUT_FIRST_UP_PARENT means, though it doesn't sound good.
>

Something bad happened with the selected peer. A timeout occurred trying to
contact it. So the first available parent was used instead.
The first available parent was the one called 'dev'.

> 2. Blocking non-image files
> I wasn't really clear in my initial message. I would like to block
> serving of any content that is not css, js, jpg, png, gif, and txt
> from the Squid servers. When I say block I mean that it should not
> query the parent for anything but these defined document types and
> instead return a 404 error (even if this content is valid on the
> origin server).

Then you need n ACL defining those file types.
Then:
  cache_peer_access XX allow aclname
  cache_peer_access XX deny all

to only allow those file types through to the peer.

Make sure the ACL is as compact and efficient urlpath_regex as possible, it
will be tested several times during each request processing and can't be
the more efficient rep_mime_type.

>
> 3. Force Domain / Cache Peer Domain:
> As for forcedomain / cache peer domain I don't see how I can delete
> this. Here's how the servers are currently set up:
>
> We have three main domains (All served on the same load balanced
> apache servers);
> www.webserver.com
> test.webserver.com
> dev.webserver.com
>
> And corresponding static file domains for the images (All domains are
> served by the same Squid servers):
> www.staticserver.com
> test.staticserver.com
> dev.staticserver.com
>
> The web domains are load balanced between three Apache servers.
> The static domains are load balanced between three Squid servers
>
> When someone requests an image from dev.staticserver.com it must query
> one of the web servers using dev.webserver.com which is why I thought
> I had to use cache_peer_domain and forcedomain. Is this incorrect?

Sort of, but no. forcedomain=XX changes the hostname visible by the
back-end server to XX. It does nothing to control any given request going
past. The domain is ALWAYS changed, regardless of what domain was
requested.

So requests for www.staticserver.com/fu will become requests for
dev.webserver.com/fu as well as requests for dev.staticserver.com/fu .

To prevent mistakes in URL mapping you also need cache_peer_domain and
cache_peer_access as two alternative ways to restrict what requests each
peer handles. To prevent a request going to cache_peer X, you define
"cache_peer_access X deny Y" or "cache_peer_domain X dev.staticserver.com"

To pass any request to any back-end BUT retain the hostname mapping only
part of the domain name in 3.0 you will likely still need a url_rewrite
helper.

It is a VERY good idea to make the back-end hostnames and paths accept the
public names, which will get you around all these troubles and simplify
things a lot for you.

>
> 4. New (and improved) Configuration:
>
> Just for reference:
> Squid 1: 10.155.0.90
> Squid 2: 10.155.0.91
> Squid 3: 10.155.0.92
> Web 1: 10.155.0.101
> Web 2: 10.155.0.102
> Web 3: 10.155.0.103
>
> Config (For Squid 1):
> visible_hostname img1.staticserver.com
> cache_effective_user squid
> http_port 80 accel defaultsite=www.staticserver.com vhost
>
> cache_peer 10.155.0.101 parent 80 0 no-query no-digest no-netdb-
> exchange originserver round-robin forceddomain=www.webserver.com
> name=prod1
> cache_peer 10.155.0.102 parent 80 0 no-query no-digest no-netdb-
> exchange originserver round-robin forceddomain=www.webserver.com
> name=prod2
> cache_peer 10.155.0.103 parent 80 0 no-query no-digest no-netdb-
> exchange originserver round-robin forceddomain=www.webserver.com
> name=prod3
> cache_peer_domain prod1 staticserver.com www.staticserver.com
> cache_peer_domain prod2 staticserver.com www.staticserver.com
> cache_peer_domain prod3 staticserver.com www.staticserver.com
>
> cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-
> netdb-exchange forceddomain=test.webserver.com name=test
> cache_peer_domain test test.staticserver.com
> cache_peer 10.155.0.101 parent 80 0 no-query originserver no-digest no-
> netdb-exchange forceddomain=dev.webserver.com name=dev
> cache_peer_domain dev dev.staticserver.com
>
> cache_peer 10.155.0.91 sibling 80 3130 allow-miss name=squid2
> cache_peer 10.155.0.92 sibling 80 3130 allow-miss name=squid3

Siblings squid2 and squid3 may be tested to see if they contain the
required object...

All requests for http://*.staticserver.com/* and http://staticserver.com/*
will have hostname altered to match http://www.webserver.com/* and passed
to prod1, prod2 or prod3 in a round-robin fashion.

If the request was for test.staticserver.com, then peer 'test' is also
attempted with a mapping of the hostname to http://test.webserver.com/* if
the prod1, prod2 or prod3 lookup fails.

If the request was for dev.staticserver.com, then peer 'dev' is also
attempted if the prod1, prod2 or prod3 lookup fails
(TIMEOUT_FIRST_UP_PARENT indicates this is happening). With a mapping of
the hostname to http://dev.webserver.com/*

Amos
Received on Mon Jun 08 2009 - 01:42:10 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 08 2009 - 12:00:02 MDT