| View previous topic :: View next topic |
| Author |
Message |
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
 Posted: Wed Jul 19, 2006 11:21 am Post subject: Squid 2.6 http accelerator MINI HOW-TO |
 |
|
I've been using Squid 2.x for years as an front-end proxy to accelerate couple of backend servers. This new shiny Squid 2.6 deprecates couple of previous configuration parameters and brings in new ones. As of today no real documentation exists and I had to struggle with Squid a bit to make it work. That's when I decided to write this HOW-TO to help any poor soul who might encounter the same problems than I did.
My previous /etc/squid/squid.conf
Previously I had an external redirector program (a small Perl script) which rewrote the url to point to one of my backend servers. My script didn't need to take a look at host header, but instead it had to react to actual url part, such as http://myhost.com/url_to_react/. Corresponding lines in squid.conf included
| Code: | httpd_accel_host virtual
httpd_accel_host 80
redirect_program /usr/local/bin/squid_redirect
redirect_rewrites_host_header off |
The problem is that all those parameters are unrecognized in Squid 2.6 and one has to replace them with new ones. But how?
My new /etc/squid/squid.conf
| Code: |
http_port 80 transparent defaultsite=virtual
always_direct allow all
|
That's all! Now my Squid happily uses the same redirector script it has always used and everything works like with previous Squid generations.
Couple of points to mention:
- in case your redirection is based on host header you may try to add parameter vhost and/or vport to http_port line.
- even though http_port line itself should (at least as I understand it) be enough to make everything work, this isn't the case with Squid 2.6.1-r1. This is a known issue and with 2.6.1-r1 or earlier a workaround is to add that other line, always_direct allow all. Should you see problems like 400/TCP_DENIED, try to add that line and see if it helps.
- redirect_* parameters have been renamed to url_rewrite_*. For example redirect_program is now url_rewrite_program. The old name still works, but since it's deprecated, it maybe wise to rename it now.
- if you don't need any complex decision logic and everything works always like "www1.mydomain.com goes to www1.mybackendserver.com", then you should get nicely along with http_port and its vhost/vport parameters, but you also might need cache_peer parameters, at least according to release notes -- I haven't tried this yet.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
 |
maiku
Guru
Joined: 24 Mar 2004
Posts: 543
Location: Long Island, NY
|
| Posted: Fri Nov 10, 2006 4:51 pm Post subject: |
|
|
Please be aware that in the latter versions of squid you will not be able to have squid defined as a web accelerator and a transparent proxy at the same time. If you have iptables redirecting packets on port 80 to squid port 3128 then your best bet would be to reconfigure squid to: | Quote: | | http_port 3128 vhost vport=80 defaultsite=virtual |
All packages are transparently being re-routed anyway through iptables and like I said you will only get errors when putting the option "transparent" in that line.
_________________
Michael A. Leonetti
As warm as green tea |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Sat Nov 11, 2006 9:35 am Post subject: |
|
|
| maiku wrote: | | All packages are transparently being re-routed anyway through iptables and like I said you will only get errors when putting the option "transparent" in that line. |
in my experience, | Code: | | http_port 3128 transparent |
works like a charm, as a transparent proxy as well as a normal proxy. |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 543
Location: Long Island, NY
|
| Posted: Sat Nov 11, 2006 6:53 pm Post subject: |
|
|
If you don't mind my asking, what is your setup then?
_________________
Michael A. Leonetti
As warm as green tea |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Sat Nov 11, 2006 7:48 pm Post subject: |
|
|
What difference does it make what I have in the rest of squid.conf? There you go:
| Code: |
http_port internalip:8080 transparent
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 16 MB
maximum_object_size 64 MB
maximum_object_size_in_memory 128 KB
cache_dir aufs /var/cache/squid 2048 64 72
access_log /var/log/squid/access.log squid
log_ip_on_direct off
log_fqdn on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 10 KB
quick_abort_max 50 KB
quick_abort_pct 97
negative_ttl 1 minutes
negative_dns_ttl 1 minutes
connect_timeout 1 minutes
read_timeout 2 minutes
request_timeout 30 seconds
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/255.255.255.0
acl localdomain srcdomain .mydomain
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 4443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 4443 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager localnet
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny !localdomain
http_access allow localnet
http_access deny all
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr postmaster@mydomain
logfile_rotate 0
memory_pools off
forwarded_for off
cachemgr_passwd mypass shutdown config
cachemgr_passwd none all
always_direct allow all
coredump_dir /var/cache/squid
|
The point is I use just "transparent" option on http_port and use DNAT to redirect outgoing traffic on TCP port 80 to squid (my case 8080). |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 543
Location: Long Island, NY
|
| Posted: Sat Nov 11, 2006 7:56 pm Post subject: |
|
|
The bottom line is what I was curious about. I'm not sure on the difference between a transparent proxy and an HTTP accelerator.
_________________
Michael A. Leonetti
As warm as green tea |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
