RE: [squid-users] Web mail attachments page cannot display

From: web <web_at_onwestside.com.au>
Date: Tue, 16 Jun 2009 09:02:42 +0930

Sorry I explained myself poorly.

All requests still need to go out to the parent proxy (the links all go back to the core and dont allow internet access unless going out the parent proxy in the core, which has a 100MB connection to the isp).

So from my understanding, i wont be able to use the always_direct allow nocache command. Instead should I use the cache deny nocache line (instead of the no_cache deny nocache).

Again, i explained poorly as I still expect all requests to hit the local caching appliance, just dont want them to source the content from the cache (i.e. get the content from the internet, as the parent cache doesnt cache, just authenticates).

I am definitely up for suggestions on what you think i should have the cache_mem, maximum_object_size and cache_dir commands? Which i currently have set to:
> cache_mem 32 MB
> maximum_object_size 30720 KB
> cache_dir aufs d:/squid/var/cache 60000 16 256

The hard drives are all 160GB, with 60GB setup on C for the operating system, and programs. D drive is the remaining 100GB, with the cache and logs folders on it.

Each machine has 1GB of ram.

Appreciate the help. Thanks.

________________________________________
From: Amos Jeffries [squid3_at_treenet.co.nz]
Sent: Friday, 12 June 2009 11:48 AM
To: web
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Web mail attachments page cannot display

web wrote:
> Hi, I have 500 squidnt 2.7 stable 5 appliances out at distributed
> offices. It is being reported to me that when connected to the local
> caching appliance, intermittently they are getting page cannot
> display messages when using webmail and adding attachments. If they
> point to the upstream (parent) cache, they are not experiencing the
> problem. What I have tried, is to put the URL for the webmail in the
> nocache.conf file, so it doesn't cache this information, therefore I
> would assume that its going direct (much the same way as if they
> pointed their caching appliance to upstream server).

You assume wrong. "no_cache" directive is an obsolete spelling of
"cache" directive.

The only way to make requests go directly to an outside server without
involving Squid is to do it at the browser (explicit settings or
WPAD/PAC file) or the fireawall (interception bypass rules).

Once the request reaches Squid its too late to not handle.

> The upstream
> (core) squid appliance is managed outside our company, so we dont
> have anything to do with it, but it shouldn't matter either as it
> works pointing directly to it. Does anyone have any suggestions to
> what I could try or what I am doing wrong? I have pasted the local
> caching appliance config to help with identifying the problem.
> Thanks in advance.
>

'always_direct' is the directive to make Squid use a direct link to the
outside server instead of one of the cache_peer links.

I'd try setting:
   always_direct allow nocache

Which will cut the proxy hierarchy to one layer and improve the chances
of a successful request.
I've seen this type of thing with a slow link and large uploaded file
(order of MB such as MS office generated files).

Amos

> http_port 8080
> cache_peer proxy.xxxxxxxx parent 8080 3130 no-query default login=PASS
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

change that to "cache deny"

> cache_mem 32 MB
> maximum_object_size 30720 KB
> cache_dir aufs d:/squid/var/cache 60000 16 256

60GB of storage with a 30MB absolute cap on object size...

cap of 32MB worth of objects stored in RAM-cache at any point.

> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl snmppublic snmp_community xxxxxxxxxx
> acl snmpprivate snmp_community xxxxxxxxxx
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl block url_regex -i "d:/squid/var/logs/block.conf"
> acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
> acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
> no_cache deny nocache
> http_access deny block !unblock

Two regex ACL in a row. See how much of that you can alter into
dstdomain or such. It's much faster.

Best configuration for regex is where a fast ACL like dstdomain is
tested first to short-circuit the regex from being needed on as much
traffic as possible.

> http_access allow all

Eeek! mostly-open proxy. Better define some security on that right quick.

Start with an ACL defining what the local client networks are.

If you intended this as an accelerator then please use the recommended
accelerator configs to secure your destinations.
   http://wiki.squid-cache.org/ConfigExamples

> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr webmaster
> visible_hostname SquidNT.proxy.local
> always_direct deny all
> never_direct allow all
> snmp_port 3401
> snmp_access allow snmppublic
> snmp_access allow snmpprivate
> snmp_access deny all
> snmp_incoming_address 0.0.0.0
> snmp_outgoing_address 255.255.255.255
> coredump_dir d:/squid/var/cache
> access_log d:/squid/var/logs/access.log squid
> cache_log d:/squid/var/logs/cache.log
> mime_table d:/squid/var/logs/mime.conf
> cache_store_log d:/squid/var/logs/store.log

well, you can set that to "none" the store log is mostly a deep debug
info log.

> redirect_program c:/Perl/bin/perl.exe d:/squid/var/logs/redirector.pl

Amos

--
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Received on Mon Jun 15 2009 - 23:32:56 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 16 2009 - 12:00:03 MDT