Oops, I hit send by mistake before I finished. Here is the rest...
On Tue, 29 Sep 2009 13:22:58 +1300, Todd Nine <todd_at_spidertracks.co.nz>
wrote:
> Hi Amos,
> Here is my squid.conf. I've just used the defaults and added a single
> rule. We're pushing a lot of throughput (several gigs a day). I've
> disabled writing to disk as we actually run from a USB appliance, and
> set the cache size to 1 GB (1024M) of RAM. My main use of squid is not
> caching, but rather http redirection to save us money on our usage fees
> from our ISPs.
>
> Thanks again for the help!
>
> File:
<snip, see earlier email>
>
> # Setup some default acls
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1111
> 3128 1025-65535
> acl sslports port 443 563 1111
> acl manager proto cache_object
> acl purge method PURGE
> acl connect method CONNECT
> acl dynamic urlpath_regex cgi-bin \?
> cache deny dynamic
bit of a speed boost dropping the above two QUERY lines and adding:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
as the pattern directly above the . (dot) refresh_pattern.
> http_access allow manager localhost
>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> # Always allow localhost connections
> http_access allow localhost
>
> request_body_max_size 0 KB
> reply_body_max_size 0 allow all
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow all
Huh? This is adding a lot of useless work to Squid.
-1/-1 is an 'unlimited' pool. The above configuration is identical in
effect as not having delay pools at all.
>
> # Allow local network(s) on interface(s)
> http_access allow localnet
> # Custom options
> #Set up our ACL for high throughput sites
> acl high_throughput dstdomain .amazonaws.com .rapidshare.com
> #Bind high throughput to the wireless interface
> tcp_outgoing_address 116.90.140.xx high_throughput
>
> # Default block all to be sure
> http_access deny all
>
the end.
Amos
>
>
> Amos Jeffries wrote:
>> On Tue, 29 Sep 2009 09:32:49 +1300, Todd Nine <todd_at_spidertracks.co.nz>
>> wrote:
>>
>>> Thanks for the help! I read over the rules and it was quite easy to
set
>>>
>>> up what I needed once I had the right directive. I simply set up the
>>> following.
>>>
>>> #Set up our ACL for high throughput sites
>>> acl high_throughput dstdomain .amazonaws.com
>>>
>>> #Bind high throughput to the wireless interface
>>> tcp_outgoing_address 116.90.140.xx high_throughput
>>>
>>> However we're having a side effect issue. Our router box is a bit old
>>> (an old P4), and we can't keep up with the squid demands due to the
>>> number of users with 2 GB of ram. Is there a directive that I can tell
>>> squid not to proxy connections unless they meet the "high_throughput"
>>> acl? I looked and couldn't find any bypass directives that met what I
>>> needed.
>>>
>>> Thanks,
>>> Todd
>>>
>>
>> Once connections have already entered Squid its too late to not send
them
>> to Squid.
>>
>> I have run Squid on P4s routers with 256MB of RAM for hundreds of
domains
>> and dozens of clients without having the box run up much of a sweat.
What
>> is your load (both CPU box load, and visitor rates, bandwidth) like?
>> Also check your other configuration and access controls are using
>> efficient
>> methods, if you don't know what those are already I'm happy to give
>> configs
>> an audit and point things that need adjusting out.
>>
>> Amos
>>
>>
>>> Amos Jeffries wrote:
>>>
>>>> On Mon, 28 Sep 2009 16:21:16 +1300, Todd Nine
<todd_at_spidertracks.co.nz>
>>>> wrote:
>>>>
>>>>
>>>>> Hi all,
>>>>> I'm using squid on a pfSense router we've built. We have 2
>>>>> connections, one we pay for usage (DSL) and one we do not (Wireless).
>>>>>
>>>>> We use Amazon S3 extensively at work. We've been attempting to route
>>>>> all traffic over the wireless via an IP range, but as S3 can change
>>>>>
>> IPs,
>>
>>>>> this doesn't work and we end up with a large bill for our DSL. Is it
>>>>> possible to have squid route connections via a specific interface if
a
>>>>>
>>>>> hostname such as "amazonaws.com" is in the HTTP request header?
>>>>>
>>>>> Thanks,
>>>>> Todd
>>>>>
>>>>>
>>>> Yes you can.
>>>>
>>>> Find an IP assigned to the interface you want traffic to go out. Use
>>>> the
>>>> tcp_outgoing_addr directive and ACLs that match the requests to make
>>>>
>> sure
>>
>>>> all the requests to that domain are assigned that outgoing address.
>>>>
>> Then
>>
>>>> make sure the OS sends traffic from that IP out the right interface.
>>>>
>>>> Amos
>>>>
>>>>
Received on Tue Sep 29 2009 - 00:46:51 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 29 2009 - 12:00:03 MDT