RE: [squid-users] Web mail attachments page cannot display

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Jun 2009 12:59:36 +1200

On Tue, 16 Jun 2009 09:02:42 +0930, web <web_at_onwestside.com.au> wrote:
> Sorry I explained myself poorly.
>
> All requests still need to go out to the parent proxy (the links all go
> back to the core and dont allow internet access unless going out the
parent
> proxy in the core, which has a 100MB connection to the isp).
>
> So from my understanding, i wont be able to use the always_direct allow
> nocache command. Instead should I use the cache deny nocache line
(instead
> of the no_cache deny nocache).
>
> Again, i explained poorly as I still expect all requests to hit the local
> caching appliance, just dont want them to source the content from the
cache
> (i.e. get the content from the internet, as the parent cache doesnt
cache,
> just authenticates).

Hmm, the usual method of doing this is to store/cache at the local Squid
(layer #2 away from the Internet) and keep the central core proxy (layer #1
away from the Internet) as a simple high-speed pass-thru proxy without any
storage. That reduces load on the central proxy and lets the layers expand
to huge bandwidths (for example, several TB per second over all Squid).

To prevent storage:
  cache deny all
  cache_dir null /tmp

To send all requests to a parent proxy, never going direct to the
internet:
  never_direct allow all
  always_direct deny all
  prefer_direct off

>
> I am definitely up for suggestions on what you think i should have the
> cache_mem, maximum_object_size and cache_dir commands? Which i currently
> have set to:
>> cache_mem 32 MB

At a guess, I'd start with 25% of the free system memory or 15 minutes of
cached HITS...

This is mostly relevant for a storage proxy though.

> > maximum_object_size 30720 KB
> > cache_dir aufs d:/squid/var/cache 60000 16 256
>
> The hard drives are all 160GB, with 60GB setup on C for the operating
> system, and programs. D drive is the remaining 100GB, with the cache and
> logs folders on it.
>
> Each machine has 1GB of ram.
>
> Appreciate the help. Thanks.
>
> ________________________________________
> From: Amos Jeffries [squid3_at_treenet.co.nz]
> Sent: Friday, 12 June 2009 11:48 AM
> To: web
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Web mail attachments page cannot display
>
> web wrote:
>> Hi, I have 500 squidnt 2.7 stable 5 appliances out at distributed
>> offices. It is being reported to me that when connected to the local
>> caching appliance, intermittently they are getting page cannot
>> display messages when using webmail and adding attachments. If they
>> point to the upstream (parent) cache, they are not experiencing the
>> problem. What I have tried, is to put the URL for the webmail in the
>> nocache.conf file, so it doesn't cache this information, therefore I
>> would assume that its going direct (much the same way as if they
>> pointed their caching appliance to upstream server).
>
> You assume wrong. "no_cache" directive is an obsolete spelling of
> "cache" directive.
>
> The only way to make requests go directly to an outside server without
> involving Squid is to do it at the browser (explicit settings or
> WPAD/PAC file) or the fireawall (interception bypass rules).
>
> Once the request reaches Squid its too late to not handle.
>
> > The upstream
>> (core) squid appliance is managed outside our company, so we dont
>> have anything to do with it, but it shouldn't matter either as it
>> works pointing directly to it. Does anyone have any suggestions to
>> what I could try or what I am doing wrong? I have pasted the local
>> caching appliance config to help with identifying the problem.
>> Thanks in advance.
>>
>
> 'always_direct' is the directive to make Squid use a direct link to the
> outside server instead of one of the cache_peer links.
>
> I'd try setting:
> always_direct allow nocache
>
> Which will cut the proxy hierarchy to one layer and improve the chances
> of a successful request.
> I've seen this type of thing with a slow link and large uploaded file
> (order of MB such as MS office generated files).
>
> Amos
>
>
> > http_port 8080
> > cache_peer proxy.xxxxxxxx parent 8080 3130 no-query default login=PASS
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
>
> change that to "cache deny"
>
> > cache_mem 32 MB
> > maximum_object_size 30720 KB
> > cache_dir aufs d:/squid/var/cache 60000 16 256
>
> 60GB of storage with a 30MB absolute cap on object size...
>
> cap of 32MB worth of objects stored in RAM-cache at any point.
>
> > auth_param digest children 5
> > auth_param digest realm Squid proxy-caching web server
> > auth_param digest nonce_garbage_interval 5 minutes
> > auth_param digest nonce_max_duration 30 minutes
> > auth_param digest nonce_max_count 50
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl snmppublic snmp_community xxxxxxxxxx
> > acl snmpprivate snmp_community xxxxxxxxxx
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > acl block url_regex -i "d:/squid/var/logs/block.conf"
> > acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
> > acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
> > no_cache deny nocache
> > http_access deny block !unblock
>
> Two regex ACL in a row. See how much of that you can alter into
> dstdomain or such. It's much faster.
>
> Best configuration for regex is where a fast ACL like dstdomain is
> tested first to short-circuit the regex from being needed on as much
> traffic as possible.
>
> > http_access allow all
>
> Eeek! mostly-open proxy. Better define some security on that right
quick.
>
> Start with an ACL defining what the local client networks are.
>
> If you intended this as an accelerator then please use the recommended
> accelerator configs to secure your destinations.
> http://wiki.squid-cache.org/ConfigExamples
>
> > http_access deny all
> > http_reply_access allow all
> > icp_access allow all
> > cache_mgr webmaster
> > visible_hostname SquidNT.proxy.local
> > always_direct deny all
> > never_direct allow all
> > snmp_port 3401
> > snmp_access allow snmppublic
> > snmp_access allow snmpprivate
> > snmp_access deny all
> > snmp_incoming_address 0.0.0.0
> > snmp_outgoing_address 255.255.255.255
> > coredump_dir d:/squid/var/cache
> > access_log d:/squid/var/logs/access.log squid
> > cache_log d:/squid/var/logs/cache.log
> > mime_table d:/squid/var/logs/mime.conf
> > cache_store_log d:/squid/var/logs/store.log
>
> well, you can set that to "none" the store log is mostly a deep debug
> info log.
>
> > redirect_program c:/Perl/bin/perl.exe d:/squid/var/logs/redirector.pl

Amos
Received on Tue Jun 16 2009 - 00:59:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 16 2009 - 12:00:03 MDT