Re: [squid-users] Re: ONLY Cache certain Websites.
Well, english is not my native language too, but that does not hurt much :) 1. Define an access list (text file with domains you wanna cache, one domain per line): acl domains_cache dstdomain "/etc/squid/lists/domains_cache.txt" 2. Define a parameter that will allow cache for these domains, while denying all others: cache allow domains_cache cache deny all That's all, wasn't that difficult :) P.S. always_direct directive is for something a little different, it's used with parent proxies, so use just "cache". On 06.08.2014 21:33, nuhll wrote: Thanks for your answer. Ill try to get it working but im not sure how. I dont understand this "acl" system. I know there are alot of tutorials out there, but not in my mother language so im not able to fully understand such expert things. Could you maybe show me atleast at one exampel how to get it work? Also maybe there are things i can remove? Heres my actual list: acl localnet src 192.168.0.0 acl all src all acl localhost src 127.0.0.1 #access_log daemon:/var/log/squid/access.test.log squid http_port 192.168.0.1:3128 transparent cache_dir ufs /daten/squid 10 16 256 range_offset_limit 100 MB windowsupdate maximum_object_size 6000 MB quick_abort_min -1 # Add one of these lines for each of the websites you want to cache. refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims #kaspersky update refresh_pattern -i geo.kaspersky.com/.*\.(cab|dif|pack|q6v|2fv|49j|tvi|ez5|1nj|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims #nvidia updates refresh_pattern -i download.nvidia.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims #java updates refresh_pattern -i sdlc-esd.sun.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 432000 reload-into-ims # DONT MODIFY THESE LINES refresh_pattern \^ftp: 144020% 10080 refresh_pattern \^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #kaspersky update acl kaspersky dstdomain geo.kaspersky.com acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow kaspersky localnet http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet #test http_access allow localnet http_access allow all http_access allow localhost -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667157.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: ONLY Cache certain Websites.
Piece of cake: always_direct deny acl_not_direct always_direct allow all On 05.08.2014 23:19, nuhll wrote: Thanks, but its not possible to make a list of all possible websites which i could visit but i dont want to cache xD. Is there no way to direct ALL websites direct EXCEPT only some websites? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667140.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: ONLY Cache certain Websites.
You should create an access list with sites that you don't want to cache like: always_direct allow acl_direct_sites always_direct allow all will make ALL requests to go directly bypassing cache. Also see cache_deny directive. On 04.08.2014 22:25, nuhll wrote: always_direct allow all and then my other code, or i need to add it before? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667136.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: ONLY Cache certain Websites.
always_direct directive On 04.08.2014 22:15, nuhll wrote: Hello, you are right. I dont mean redirect like 301. I mean, squid should not touch the website or connection and just send it direct to the website, except some websites which i want to cache. How to archive this? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667134.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Squid 3.4 very high cpu usage
delay_pools are not used at all (delay_access 1 deny all), i'll try to remove them completely, but as 3.3 works fine i doubt that'll help. On 15.07.2014 19:01, FredB wrote: Try without delay_pool or at least without CONNECT method and delay_pool Fred
[squid-users] Squid 3.4 very high cpu usage
I've seen a February thread about this problem, but it seems that it never reached a consensus. I've just tried to migrate from 3.3.12 to 3.4.6, but almost instantly got timeout problems and 100% cpu usage by squid process. I'm using kerberos auth and external_ldap_group helpers, ssl bump, config will be attached below. Any caching (memory or on-disk) is disabled during compile-time: ./configure \ --prefix=/opt/squid \ --sysconfdir=/etc/squid \ --disable-loadable-modules \ --disable-wccp \ --disable-wccpv2 \ --disable-eui \ --disable-htcp \ --disable-select \ --disable-poll \ --with-pthreads \ --disable-storeio \ --disable-disk-io \ --disable-removal-policies \ --enable-delay-pools \ --disable-useragent-log \ --disable-referer-log \ --enable-ssl \ --enable-ssl-crtd \ --disable-cache-digests \ --enable-icap-client \ --disable-snmp \ --disable-ident-lookups \ --enable-auth \ --enable-auth-basic="LDAP,PAM" \ --enable-auth-ntlm="smb_lm" \ --enable-auth-negotiate="kerberos" \ --enable-auth-digest="LDAP,file" \ --enable-external-acl-helpers="LDAP_group" \ --enable-zph-qos \ --with-openssl \ --disable-ipv6 Any ideas? Thanks in advance debug_options ALL,1 rotate=1 logfile_rotate 0 cache_mgr ad...@domain.ru visible_hostname squid.domain.ru http_port 10.1.16.19:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/etc/squid/ssl/ca-squid.domain.ru.pem options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/ssl/dh2048.pem cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS cache_effective_user squid cache_effective_group squid # ICAP ACL acl icap_whitelisted dstdomain "/etc/squid/lists/icap_domains_whitelisted.txt" # ICAP scanning icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_connect_timeout 1 second icap_preview_enable on icap_preview_size 1024 icap_206_enable on icap_persistent_connections on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req deny icap_whitelisted adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp deny icap_whitelisted adaptation_access service_resp allow all forwarded_for delete httpd_suppress_version_string on ### Error messages ### error_directory /etc/squid/errors/ru ### Cache options ### cache_mem 1024 MB cache deny all auth_param basic program /opt/squid/libexec/basic_pam_auth -n squid -t 300 -o auth_param basic children 30 startup=5 idle=5 auth_param basic credentialsttl 10800 seconds auth_param basic realm squid.domain.ru #auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s HTTP/squid.domain...@domain.ru auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s GSS_C_NO_NAME auth_param negotiate children 100 startup=10 idle=10 auth_param negotiate keep_alive on authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour external_acl_type squid_ldap ttl=30 negative_ttl=30 children-max=100 children-startup=10 children-idle=5 %LOGIN /opt/squid/libexec/ext_ldap_group_acl -b "OU=Users,DC=domain,DC=ru" -s sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W /etc/squid/ldap.password -R -H ldap://192.168.192.18 -v 3 -S -K -f "(&(sAMAccountName=%u)(memberOf=%g))" acl proxy_full_access external squid_ldap CN=proxy_full_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_email_access external squid_ldap CN=proxy_email_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_hr_access external squid_ldap CN=proxy_hr_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_no_access external squid_ldap CN=proxy_no_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_no_access_expired external squid_ldap CN=Expired_Passwords,OU=Groups,DC=domain,DC=ru ### Delay Pools ### delay_pools 1 delay_class 1 4 delay_access 1 deny all delay_parameters 1 -1/-1 -1/-1 -1/-1 8000/16000 ### File lists ### include "/etc/squid/lists.conf" ### File ACLs ### ## Lists ## acl lists_block_dom dstdomain "/etc/squid/lists/domains_blocked.txt" acl lists_fun_dom dstdomain "/etc/squid/lists/domains_fun.txt" acl lists_job_dom dstdomain "/etc/squid/lists/domains_job.txt" ## Custom Lists ## acl domains_whitelisted dstdomain "/etc/squid/lists/domains_whitelisted.txt" acl domains_ssl_direct dstdomain "/etc/squid/lists/domains_ssl_direct.txt" acl domains_mail dstdomain "/etc/squid/lists/domains_mail.txt" acl domains_no_auth dstdomain "/etc/squid/lists/domains_no_auth.txt" acl ip_ssl_direct dst "/etc/squid/lists/ip_ssl_direct.txt" # SSL exceptions acl domains_ssl_error