On 15/08/2014 11:22 p.m., Paul Regan wrote:
> Urg, thats like standing front of the class for everyone to stare!
>
If you are not able to take constructive criticisms, sysadmin is
probably not the best ine of work for you :-)
I see you seem to have found the problem. So consider these a free audit.
>
> here you go :
>
> cache_effective_user squid
>
> url_rewrite_program /usr/sbin/ufdbgclient -l /var/ufdbguard/logs
> url_rewrite_children 64
>
> acl localnet src <subnet>
> acl eu-edge-IP src <subnet>
> acl eu-buscon-edge-IP src <subnet>
> acl eu-inet-dmz src <subnet>
> acl na-subnet src <subnet>
> acl na-inet-dmz src <subnet>
> acl na-buscon-edge-IP src <subnet>
> acl st-buscon-vpc src <subnet>
> acl eu-mfmgt src <subnet>
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
> hosts_file /etc/hosts
>
> dns_nameservers <server> <server> <server>
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> acl infrastructure src
>
> http_access allow localhost manager
> http_access allow infrastructure manager
> http_access deny manager
>
> acl mo-whitelist dstdomain "/etc/squid/mo-whitelist"
> http_access allow mo-whitelist
>
> acl mo-blockedsites dstdomain "/etc/squid/mo-blockedsites"
> deny_info http://<url>restricted_content_blockedsites.html mo-blockedsites
> http_access deny mo-blockedsites
>
> acl mo-blockedkeywords urlpath_regex "/etc/squid/mo-blockedkeywords"
> deny_info http://<url>restricted_content_keywords.html mo-blockedkeywords
> http_access deny mo-blockedkeywords
>
> acl mo-nocache dstdomain "/etc/squid/mo-nocache"
> no_cache deny mo-nocache
The correct name for that directive is "cache", has been since Squid-2.4.
As in, what you should have there is:
cache deny mo-nocache
>
> acl mo-blockedIP src "/etc/squid/mo-blockedIP"
> acl mo-allowURLs dstdomain src "/etc/squid/mo-allowURLs"
>
> http_access allow mo-blockedIP mo-allowURLs
> http_access deny mo-blockedIP
> deny_info http://<url>restricted_content_blockedip.html mo-blockedIP
>
> acl mo-allowNYIP src "/etc/squid/mo-allowNYIP"
> http_access allow mo-allowNYIP
>
> http_access allow na-subnet mo-allowURLs
> http_access deny na-subnet
> deny_info http://<url>restricted_content_subnet.html na-subnet
>
> http_access allow localnet
> http_access deny st-buscon-vpc
> http_access allow eu-edge-IP
> http_access allow eu-inet-dmz
> http_access allow eu-buscon-edge-IP
> http_access allow na-inet-dmz
> http_access allow na-buscon-edge-IP
> http_access allow eu-mfmgt
>
> acl ftp proto FTP
> always_direct allow ftp
>
> acl purge method PURGE
> http_access allow purge localhost
> http_access deny purge
Hmm.. What you have here is a pure forward-proxy configuration.
If you need to purge things from the cache of a forward-proxy then it is
caching badly/wrong.
I know that Squid does cache some things badly, but we have taken great
pains to ensure that those cases are conservative. The wrong cases
shoudl all take form of dropping things which should have been kept,
rather than storing things which should have been dropped.
Are you perhase finding that you need to manually erase content
permitted into cache by the refresh rules with "override-expire
ignore-no-store ignore-private". Ignoring private and no-store in
particular are very dangerous... think Captcha images, username in image
form for embeded session display, company private information, etc.
>
> http_access allow localhost
> http_access deny all
>
> http_port 8080
>
> cache_dir aufs /squid-cache 39322 16 256
> cache_replacement_policy heap LFUDA
>
> cache_swap_low 96
> cache_swap_high 98
>
> cache_mem 256 MB
>
> maximum_object_size 64 KB
It's a little unclear why you are limiting cached objects to 64KB while
refresh patterns also force archive and binary executable types to be
cached. You have 40.25 GB of cache space available.
> maximum_object_size_in_memory 20 KB
>
> quick_abort_min 0 KB
> quick_abort_max 0 KB
>
> memory_pools off
>
Have you tested performance with these on recently?
HTH
Amos
Received on Sun Aug 17 2014 - 06:04:06 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 18 2014 - 12:00:07 MDT