Problem #1: Please upgrade your Squid.
Squid-2.6 has been 3 years since the last security update, nearly 5
years since your particular version was superceded.
On 24/04/2013 12:15 a.m., Alex Domoradov wrote:
Hello all, I encountered the problem with configuration 2 squids. I
have the following scheme -
http://i.piccy.info/i7/0ecd5cb8276b78975a791c0e5f55ae60/4-57-1543/57409208/squids_schema.jpg
Problem #2: Please read the section on how RAID0 interacts with Squid
... http://wiki.squid-cache.org/SquidFaq/RAID
Also, since youa re using SSD, see #1. The older Squid like 2.6 push
*everything* through disk which reduces your SSD lifetime a lot. Please
upgrade to a current release (3.2 or 3.3 today) which try to avoid disk
a lot more in general and offer cache types like rock for even better
I/O savings on small responses.
The main idea is to download all files from rackspace and amazon
through parent squid and store all files in his cache.
Sure. Nothing abnormal there.
On the main_squid server was configured PBR (iptables + ip route). All
packets go through the same channels through which the requests were
received
# ip ru sh
0: from all lookup local
1000: from all fwmark 0x3e8 lookup ISP1
2000: from all fwmark 0x7d0 lookup ISP2
3011: from all fwmark 0xbc3 lookup ISP3
32762: from xxx.xxx.xxx.62 lookup ISP1
32763: from yyy.yyy.yyy.239 lookup ISP2
32764: from zzz.zzz.zzz.10 lookup ISP3
32766: from all lookup main
32767: from all lookup default
*** main_squid squid.conf ***
http_port 192.168.210.1:3128 transparent
cache_peer 192.168.220.2 sibling 3128 3130
dead_peer_timeout 5 seconds
acl AMAZON dstdom_regex -i (.*)s3\.amazonaws\.com
cache_peer_access 192.168.220.2 allow AMAZON
acl RACKSPACE dstdom_regex -i (.*)rackcdn\.com
cache_peer_access 192.168.220.2 allow RACKSPACE
FYI: these dstdom_regex look like they can be far more efficiently
replaced by dstdomain ACLs and even combined into one ACL name.
url_rewrite_program /usr/bin/squidguard
url_rewrite_children 32
cache_dir null /tmp
cache_store_log none
cache deny all
acl local_net src 192.168.0.0/16
http_access allow local_net
*** parent_squid squid.conf ***
http_port 192.168.220.2:3128
acl main_squid src 192.168.220.1
http_access allow main_squid
http_access allow manager localhost
http_access allow manager main_squid
icp_access allow main_squid
cache_mem 30 GB
maximum_object_size_in_memory 128 MB
cache_dir aufs /squid 400000 16 256
minimum_object_size 16384 KB
maximum_object_size 1024 MB
cache_swap_low 93
cache_swap_high 98
The numbers here look a little strange. Why the high minimum object size?
acl PSD urlpath_regex -i \.psd$
cache allow PSD
acl ZIP urlpath_regex -i \.zip$
cache allow ZIP
acl OTHER url_regex -i ^http://*
cache deny OTHER
At the very least that OTHER definition can be replaced by the much faster:
acl OTHER proto HTTP
However, the feeder mechanism to this hierarchy is NAT interception.
Meaning *all* traffic is HTTP so you can instead use:
cache_deny all
refresh_pattern \.psd$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache
refresh_pattern \.zip$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache
All work fine, until I uncomment on main_squid the following line
tcp_outgoing_address yyy.yyy.yyy.239
When I try to download any zip file from amazon I see the following
message in cache.log
2013/04/22 01:00:41| TCP connection to 192.168.220.2/3128 failed
If I run tcpdump on yyy.yyy.yyy.239 I see that main_squid trying to
connect to parent via external interface without success.
So my question. How may I configure main_squid that it could connect
to the parent even with configured
tcp_outgoing_address option?
#3 The failure is in TCP. Probably your firewall settings forbidding
yyy.yyy.yyy.239 from talking to 192.168.220.2.
P.S.
# squid -v
Squid Cache: Version 2.6.STABLE21
configure options: '--host=x86_64-unknown-linux-gnu'
'--build=x86_64-unknown-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl'
'--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password'
'--with-winbind-auth-challenge' '--enable-useragent-log'
'--enable-referer-log' '--disable-dependency-tracking'
'--enable-cachemgr-hostname=localhost' '--enable-underscores'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-cache-digests' '--enable-ident-lookups'
'--enable-follow-x-forwarded-for' '--enable-wccpv2'
'--enable-fd-config' '--with-maxfd=16384'
'build_alias=x86_64-unknown-linux-gnu'
'host_alias=x86_64-unknown-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2
-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'
