Re: [squid-users] All Traffic is TCP MISS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 12 Jun 2009 04:01:56 +1200

Jamie Orzechowski wrote:
> Since I have moved to a TProxy setup all my traffic is showing up as a
> TCP_MISS ... Without TProxy I see HIT's all over the place.
>
> Any ideas what is causing this??
>
> Running the following
>
> IPTables: v1.4.3.2:
> Kernel: 2.6.28-11-server
>
> Squid Cache: Version 3.1.0.8
> configure options: '--prefix=/usr' '--mandir=/share/man'
> '--infodir=/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--sysconfdir=/etc/squid3' '--enable-inline'
> '--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd'
> '--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
> '--enable-follow-x-forwarded-for'
> '--with-filedescriptors=65536' '--with-default-user=proxy'
> '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.8
> --enable-ltdl-convenience
>
> TProxy setup with the following
>
> /usr/local/sbin/iptables -t mangle -N DIVERT
> /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
> /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> -----------------------------------------------
> Here is part of my config
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl localnet src 66.78.96.0/19
> acl localnet src 64.235.192.0/19
> acl localnet src 72.0.192.0/19
> acl localnet src 192.168.1.0/24
> acl localnet src 192.168.254.0/24
>
> hierarchy_stoplist cgi-bin ?
>

You appear to be under some illusion about what the following directives
mean...

cache == don't store the object as is flows through Squid.

always_direct == don't send to a configured cache_peer.

thus...

> acl directurls url_regex -i "/etc/squid3/direct-urls"
> cache deny localnet

  ... prevents *_HIT ever occuring if the web object was fetched from
localnet.

> cache deny directurls

.. prevent storage (thus *_HIT) for any request matching a set of regex
patterns.

> always_direct allow directurls

.. since no cache_peer entries, merely slows squid down as it does a
very slow regex match.

> cache allow all

... then lets stuff be cached. Which is normal behavior if none of the
above exist.

>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> htcp_access allow localnet
> icp_access deny all
> htcp_access deny all
> htcp_clr_access deny all
> ident_lookup_access deny all
>
> http_port 66.78.102.2:3128
> http_port 66.78.102.2:3129 tproxy
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i
> \.(iso|img|avi|wav|mp3|mp4|mpg|mpeg|swf|flv|x-flv|wma|wmv)$ 43200 90%
> 432000 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i
> \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90%
> 43200 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 40% 40320
>

It is a problem mentioned before.
Your probably has something to do with this:
    cache deny localnet

What I don't understand is why you get any HIT at all.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Received on Thu Jun 11 2009 - 16:02:03 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT