RE: [squid-users] Reverse Proxy Cluster Issues

From: <senad.cimic_at_thomsonreuters.com>
Date: Tue, 20 Apr 2010 16:22:15 -0500



-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Thursday, April 15, 2010 8:55 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Reverse Proxy Cluster Issues

senad.cimic_at_thomsonreuters.com wrote:
> Thanks Amos, removing hierarchy_stoplist solved my query-string issue.
>
> However, I'm not sure what you meant by removing cache/no_cache controls. I can't see any such operators in my squif.config file. Can you please elaborate more?
>

Good. It's just a little bit of trash left over from very old configs
which might have also been causing you issues.

Amos

> Thanks again.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Wednesday, April 14, 2010 6:17 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Reverse Proxy Cluster Issues
>
> On Wed, 14 Apr 2010 08:13:01 -0500, <senad.cimic_at_thomsonreuters.com>
> wrote:
>> Hi,
>>
>> I am first time squid user and was wondering if could get some help. I
>> tried to find answers to these questions on-line, but unsuccessfully...
>>
>> I have 2 squid boxes setup as reverse proxies in a cluster (they're
>> using each other as siblings). On the backend I'm using single tomcat
>> server that both squid boxes use to retrieve content. Squid version I'm
>> using is 3.0. I'm running into couple issues:
>>
>> Issue #1:
>> Whenever squid box receives request for url that contains querystring
>> (e.g. - http://site1:8080/RSSSource/rss/feed?max=1) it does not contact
>> sibling cache for that resource, but it retrieves it from the backend
>> server right away. What's odd is that it works (sometimes...) when query
>> string is not present (e.g. http://site1:8080/RSSSource/rss/feed).
>>
>> Issue #2:
>> Let's say squidA receives request for some resource (e.g.
>> http://site1:8080/RSSSource/rss/feed). If squidA doesn't have it in its
>> cache, it will check if it's available from squidB. However, if squidA
>> has expired version of that resource, it doesn't contact squidB but
>> retrieves it directly from the backend server, which should not be the
>> case (it should check if squidB had valid copy available), correct?
>>
>> Here are relevant squid.conf lines for one of the squids (everything
>> else is unchanged, config for the second squid is the same except for
>> sibling references):
>
> Nope.
>
> The relevant lines are hierarchy_stoplist (prevent peers being asked for
> query-string URLs).
> and cache/no_cache controls (prevent "QUERY" ACL matches being stored
> locally.)
>
> Both of which need to be removed from your config.
>
> Amos
>


--
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1

I switched to squid 3.1.1 and the issue still remains: instead of contacting sibling for the expired resources, squid goes to the origin server right away. I have cluster of only 2 squids, here is the whole squid.config file for one of them (squid.config for the other one is the same except for sibling references). Is there anything I missed in the config that could be causing this issue?

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Squid normally listens to port 3128
http_port 80 accel vhost

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_mem 1 MB

#New props added for reverse proxy:
cache_mgr senad.cimic_at_thomson.com

icp_port 3130

#ACL's for cache peers in network
acl RSS_sites_server dstdomain RSS_site
#siblings:
acl siblings src sibling.url.com

#hostnames
cache_peer some.backend.server.com parent 8080 0 no-query no-digest originserver name=RSS_server
#siblings:
cache_peer sibling.url.com sibling 80 3130 name=sibling no-digest allow-miss weight=5

cache_peer_access RSS_server allow RSS_sites_server
#siblings:
cache_peer_access sibling allow RSS_sites_server

http_access allow RSS_sites_server
#siblings:
http_access allow siblings
# And finally deny all other access to this proxy
http_access deny all

icp_access allow localnet
icp_access allow siblings
icp_access deny all

miss_access deny siblings

Received on Tue Apr 20 2010 - 21:22:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 28 2010 - 12:00:31 MDT