Re: [squid-users] How to use tcp_outgoing_address with cache_peer

Problem #1: Please upgrade your Squid.

  Squid-2.6 has been 3 years since the last security update, nearly 5
years since your particular version was superceded.

On 24/04/2013 12:15 a.m., Alex Domoradov wrote:
> Hello all, I encountered the problem with configuration 2 squids. I
> have the following scheme -
> http://i.piccy.info/i7/0ecd5cb8276b78975a791c0e5f55ae60/4-57-1543/57409208/squids_schema.jpg

Problem #2: Please read the section on how RAID0 interacts with Squid
... http://wiki.squid-cache.org/SquidFaq/RAID

Also, since youa re using SSD, see #1. The older Squid like 2.6 push
*everything* through disk which reduces your SSD lifetime a lot. Please
upgrade to a current release (3.2 or 3.3 today) which try to avoid disk
a lot more in general and offer cache types like rock for even better
I/O savings on small responses.

> The main idea is to download all files from rackspace and amazon
> through parent squid and store all files in his cache.

Sure. Nothing abnormal there.

> On the main_squid server was configured PBR (iptables + ip route). All
> packets go through the same channels through which the requests were
> received
>
> # ip ru sh
> 0: from all lookup local
> 1000: from all fwmark 0x3e8 lookup ISP1
> 2000: from all fwmark 0x7d0 lookup ISP2
> 3011: from all fwmark 0xbc3 lookup ISP3
> 32762: from xxx.xxx.xxx.62 lookup ISP1
> 32763: from yyy.yyy.yyy.239 lookup ISP2
> 32764: from zzz.zzz.zzz.10 lookup ISP3
> 32766: from all lookup main
> 32767: from all lookup default
>
> *** main_squid squid.conf ***
> http_port 192.168.210.1:3128 transparent
>
> cache_peer 192.168.220.2 sibling 3128 3130
> dead_peer_timeout 5 seconds
>
> acl AMAZON dstdom_regex -i (.*)s3\.amazonaws\.com
> cache_peer_access 192.168.220.2 allow AMAZON
>
> acl RACKSPACE dstdom_regex -i (.*)rackcdn\.com
> cache_peer_access 192.168.220.2 allow RACKSPACE

FYI: these dstdom_regex look like they can be far more efficiently
replaced by dstdomain ACLs and even combined into one ACL name.

>
> url_rewrite_program /usr/bin/squidguard
> url_rewrite_children 32
>
> cache_dir null /tmp
> cache_store_log none
> cache deny all
>
> acl local_net src 192.168.0.0/16
> http_access allow local_net
>
> *** parent_squid squid.conf ***
>
> http_port 192.168.220.2:3128
> acl main_squid src 192.168.220.1
>
> http_access allow main_squid
> http_access allow manager localhost
> http_access allow manager main_squid
>
> icp_access allow main_squid
>
> cache_mem 30 GB
> maximum_object_size_in_memory 128 MB
> cache_dir aufs /squid 400000 16 256
> minimum_object_size 16384 KB
> maximum_object_size 1024 MB
> cache_swap_low 93
> cache_swap_high 98

The numbers here look a little strange. Why the high minimum object size?

> acl PSD urlpath_regex -i \.psd$
> cache allow PSD
>
> acl ZIP urlpath_regex -i \.zip$
> cache allow ZIP
>
> acl OTHER url_regex -i ^http://*
> cache deny OTHER

At the very least that OTHER definition can be replaced by the much faster:
  acl OTHER proto HTTP

However, the feeder mechanism to this hierarchy is NAT interception.
Meaning *all* traffic is HTTP so you can instead use:
   cache_deny all

> refresh_pattern \.psd$ 2592000 100 2592000 override-lastmod
> override-expire ignore-reload ignore-no-cache
> refresh_pattern \.zip$ 2592000 100 2592000 override-lastmod
> override-expire ignore-reload ignore-no-cache
>
> All work fine, until I uncomment on main_squid the following line
>
> tcp_outgoing_address yyy.yyy.yyy.239
>
> When I try to download any zip file from amazon I see the following
> message in cache.log
>
> 2013/04/22 01:00:41| TCP connection to 192.168.220.2/3128 failed
>
> If I run tcpdump on yyy.yyy.yyy.239 I see that main_squid trying to
> connect to parent via external interface without success.
>
> So my question. How may I configure main_squid that it could connect
> to the parent even with configured
> tcp_outgoing_address option?

#3 The failure is in TCP. Probably your firewall settings forbidding
yyy.yyy.yyy.239 from talking to 192.168.220.2.

>
> P.S.
> # squid -v
> Squid Cache: Version 2.6.STABLE21
> configure options: '--host=x86_64-unknown-linux-gnu'
> '--build=x86_64-unknown-linux-gnu' '--program-prefix=' '--prefix=/usr'
> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
> '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--exec_prefix=/usr' '--bindir=/usr/sbin'
> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
> '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl'
> '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
> '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
> '--with-openssl=/usr/kerberos' '--enable-delay-pools'
> '--enable-linux-netfilter' '--with-pthreads'
> '--enable-ntlm-auth-helpers=SMB,fakeauth'
> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-auth=basic,digest,ntlm,negotiate'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-digest-auth-helpers=password'
> '--with-winbind-auth-challenge' '--enable-useragent-log'
> '--enable-referer-log' '--disable-dependency-tracking'
> '--enable-cachemgr-hostname=localhost' '--enable-underscores'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
> '--enable-cache-digests' '--enable-ident-lookups'
> '--enable-follow-x-forwarded-for' '--enable-wccpv2'
> '--enable-fd-config' '--with-maxfd=16384'
> 'build_alias=x86_64-unknown-linux-gnu'
> 'host_alias=x86_64-unknown-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2
> -fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'
Received on Fri Apr 26 2013 - 04:01:01 MDT