[squid-users] All Traffic is TCP MISS

From: Jamie Orzechowski <jamie.orzechowski_at_gmail.com>
Date: Thu, 11 Jun 2009 11:17:32 -0400

Since I have moved to a TProxy setup all my traffic is showing up as a
TCP_MISS ... Without TProxy I see HIT's all over the place.

Any ideas what is causing this??

Running the following

IPTables: v1.4.3.2:
Kernel: 2.6.28-11-server

Squid Cache: Version 3.1.0.8
configure options: '--prefix=/usr' '--mandir=/share/man'
'--infodir=/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=/lib/squid3'
'--sysconfdir=/etc/squid3' '--enable-inline'
'--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-follow-x-forwarded-for'
'--with-filedescriptors=65536' '--with-default-user=proxy'
'--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.8
--enable-ltdl-convenience

TProxy setup with the following

/usr/local/sbin/iptables -t mangle -N DIVERT
/usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
/usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT
/usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
/usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 1 > /proc/sys/net/ipv4/ip_forward

-----------------------------------------------
Here is part of my config

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 66.78.96.0/19
acl localnet src 64.235.192.0/19
acl localnet src 72.0.192.0/19
acl localnet src 192.168.1.0/24
acl localnet src 192.168.254.0/24

hierarchy_stoplist cgi-bin ?

acl directurls url_regex -i "/etc/squid3/direct-urls"
cache deny localnet
cache deny directurls
always_direct allow directurls
cache allow all

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
htcp_access allow localnet
icp_access deny all
htcp_access deny all
htcp_clr_access deny all
ident_lookup_access deny all

http_port 66.78.102.2:3128
http_port 66.78.102.2:3129 tproxy

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i
\.(iso|img|avi|wav|mp3|mp4|mpg|mpeg|swf|flv|x-flv|wma|wmv)$ 43200 90%
432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90%
43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 40% 40320

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=
Jamie Orzechowski - CCNA
RipNET Ltd. System/Network Administrator
Tel.: 613-342-3946 x294
THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE,
IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION.
ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR,
PLEASE NOTIFY ME IMMEDIATELY SO THAT I MAY CORRECT MY
INTERNAL RECORDS.  PLEASE THEN DELETE THE ORIGINAL MESSAGE.
=-=-=-=-=-=-=-=-=-=-=-=-=
Received on Thu Jun 11 2009 - 15:17:39 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT