Re: [squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)þ

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Nov 2009 02:39:11 +1300

Jenny Lee wrote:
>> Um, sounds like you might have a few legacy setting issues.
>> Mail me a copy of your config if you would like a free audit.
>
> Amos, thank you so much for your help and offer, my config is working as expected now. It is not necessary to waste more of your time. That 'all' made _ALL_ the difference!
>
> I put a reminder to myself, I will donate within next few months. I am using squid close to 15 years now! Henrik and I grew old on squid :) (Bless him, he helped way too much back in days). Even though I always wanted to contribute, I never got around to it. This was a good opportunity.
>
> I spent a week debugging 3.1 configs. I especially had serious problems with proxy_auth accesses, returning proper error pages, cache_peer selections and always_direct. Nothing worked the way it should have. 'all' instead of '0.0.0.0/0' fixed it all for me. I also realized that I had '0.0.0.0/0.0.0.0' with some acls, and '0.0.0.0/0' with some others.
>
>
>>> What exactly has changed from '0.0.0.0/0.0.0.0' or older '0.0.0.0/0',
>>> '0/0' to 'all'?
>>>
>>> Thank you!
>>>
>>> Jen
>>>
>>>
>>> PS: I have ipv6 stack removed from RedHat kernel and squid built with no
>>> ipv6.
>> Strangely the only difference between them is when squid is built with
>> IPv6 support.
>>
>> '0.0.0.0/0.0.0.0' becomes a weird 'odd' bitmask of ::ffff:0:0 in IPv6.
>> Which maps non-reversibly to a /0 CIDR (aka the bitmask of ::)
>>
>> '0.0.0.0/0' maps to ::/0, which is at least usable. But is noisy on
>> startup warnings because the /0 removes the four ::ffff* bits of the
>> 0.0.0.0 IP's v4-mapping bitmask.
>>
>> 'all' is hard-coded to match /0 (always true).
>>
>> '0/0' causes a DNS lookup to find the hostname '0' (zero).
>> That may result in a routable IP address if 0.example.com has rDNS.
>> Before the /0 arrives and saves the day by wiping the address bitmask away.
>> *** Unfortunately that only save the day in IPv4. In IPv6 it wipes the
>> bitmask down to a /96 CIDR and leaves the first 96 bits of the old IP being
>> used to match (or mostly fail rather) and many of the default squid
>> settings suddenly becomes 'allow' in IPv6.
>>
>> Thanks for making me think about this. It's reminded me I have to add
>> extra checking and warnings for those values in 3.1.
>>
>> Amos
>
>
> Thank you for thorough explanation. I have squid compiled with:
>
> --enable-delay-pools \
> --enable-poll \

If possible I'd suggest going for epoll or kqueue instead. Much faster
socket handling.

> --enable-auth=basic \
> --enable-basic-auth-helpers=NCSA \
> --disable-carp \
> --disable-wccp \
> --disable-wccp2 \
> --disable-snmp \
> --disable-htcp \
> --disable-ident-lookups \
> --disable-unlinkd \
> --disable-translation \
> --disable-auto-locale \

*-auto-locale you may want to keep. It presents the error pages in
visitor-readable language texts. The /etc/squid/errorpages.css adds
display branding control.

*-translation only affects build-time and creates the pages to be
presented by *-auto-locale. The langpack bundles we provide are an
alternative pre-built set of the latest page translations to drop in on
existing Squid without a rebuild or even restart. But requires
auto-locale to be really useful.

> --disable-loadable-modules \
> --disable-ipv6
>
>
> It mentioned 'no ipv6 support found' and complained about leftover ::1 in /etc/hosts upon start. Definitely no ipv6 in this machine.
>
> I have 2 questions though. I currently have 'cache deny all' in my setup, using proxy-only. What is the proper way to do ONLY ON-MEMORY caching, say with 4GB memory? Is using no cache/store directory directives sufficient?
>

In Squid 3.1 to enable caching, but limited to memory:

   remove all cache_dir entries from the config.

Thats it.

No more fiddling with the "null" disk stuff or hacks around hidden disk
defaults.

As you noticed the "cache ..." entries make Squid proxy-only. They need
to permit storage (ie defaults) for memory-only caching.

> I also remember about a light squid project -- all caching code stripped from squid for proxy-only use. I couldn't find on the net. Anyone knows which project it is? Or if there would be any advantage to it where one does no caching?
>

Have not heard of that one. I'm interested though in anything related.
One of my long-term wishlist is to build a configure option to minimize
Squid footprint for low-spec builds.

3.1 with --disable-diskio might be usable to strip the disk caching code
out.

Noting the way your options are tending toward minimal features you may
or my not want to not ESI is also on by default now in 3.1.0.15

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15
Received on Mon Nov 23 2009 - 13:39:21 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST