Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Squid 2.6 http accelerator MINI HOW-TO
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Janne Pikkarainen
Veteran
Veteran


Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland

PostPosted: Wed Jul 19, 2006 11:21 am    Post subject: Squid 2.6 http accelerator MINI HOW-TO Reply with quote

I've been using Squid 2.x for years as an front-end proxy to accelerate couple of backend servers. This new shiny Squid 2.6 deprecates couple of previous configuration parameters and brings in new ones. As of today no real documentation exists and I had to struggle with Squid a bit to make it work. That's when I decided to write this HOW-TO to help any poor soul who might encounter the same problems than I did.

My previous /etc/squid/squid.conf

Previously I had an external redirector program (a small Perl script) which rewrote the url to point to one of my backend servers. My script didn't need to take a look at host header, but instead it had to react to actual url part, such as http://myhost.com/url_to_react/. Corresponding lines in squid.conf included

Code:
httpd_accel_host virtual
httpd_accel_host 80
redirect_program /usr/local/bin/squid_redirect
redirect_rewrites_host_header off


The problem is that all those parameters are unrecognized in Squid 2.6 and one has to replace them with new ones. But how?

My new /etc/squid/squid.conf

Code:

http_port 80 transparent defaultsite=virtual
always_direct allow all


That's all! Now my Squid happily uses the same redirector script it has always used and everything works like with previous Squid generations.

Couple of points to mention:

- in case your redirection is based on host header you may try to add parameter vhost and/or vport to http_port line.

- even though http_port line itself should (at least as I understand it) be enough to make everything work, this isn't the case with Squid 2.6.1-r1. This is a known issue and with 2.6.1-r1 or earlier a workaround is to add that other line, always_direct allow all. Should you see problems like 400/TCP_DENIED, try to add that line and see if it helps.

- redirect_* parameters have been renamed to url_rewrite_*. For example redirect_program is now url_rewrite_program. The old name still works, but since it's deprecated, it maybe wise to rename it now.

- if you don't need any complex decision logic and everything works always like "www1.mydomain.com goes to www1.mybackendserver.com", then you should get nicely along with http_port and its vhost/vport parameters, but you also might need cache_peer parameters, at least according to release notes -- I haven't tried this yet.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".
Back to top
View user's profile Send private message
maiku
Guru
Guru


Joined: 24 Mar 2004
Posts: 500
Location: Long Island, NY

PostPosted: Fri Nov 10, 2006 4:51 pm    Post subject: Reply with quote

Please be aware that in the latter versions of squid you will not be able to have squid defined as a web accelerator and a transparent proxy at the same time. If you have iptables redirecting packets on port 80 to squid port 3128 then your best bet would be to reconfigure squid to:
Quote:
http_port 3128 vhost vport=80 defaultsite=virtual
All packages are transparently being re-routed anyway through iptables and like I said you will only get errors when putting the option "transparent" in that line.
_________________
- Mike A. Leonetti
Back to top
View user's profile Send private message
mrness
Retired Dev
Retired Dev


Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro

PostPosted: Sat Nov 11, 2006 9:35 am    Post subject: Reply with quote

maiku wrote:
All packages are transparently being re-routed anyway through iptables and like I said you will only get errors when putting the option "transparent" in that line.


in my experience,
Code:
http_port 3128 transparent
works like a charm, as a transparent proxy as well as a normal proxy.
Back to top
View user's profile Send private message
maiku
Guru
Guru


Joined: 24 Mar 2004
Posts: 500
Location: Long Island, NY

PostPosted: Sat Nov 11, 2006 6:53 pm    Post subject: Reply with quote

If you don't mind my asking, what is your setup then?
_________________
- Mike A. Leonetti
Back to top
View user's profile Send private message
mrness
Retired Dev
Retired Dev


Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro

PostPosted: Sat Nov 11, 2006 7:48 pm    Post subject: Reply with quote

What difference does it make what I have in the rest of squid.conf? There you go:
Code:

http_port internalip:8080 transparent
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 16 MB
maximum_object_size 64 MB
maximum_object_size_in_memory 128 KB
cache_dir aufs /var/cache/squid 2048 64 72
access_log /var/log/squid/access.log squid
log_ip_on_direct off
log_fqdn on
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
quick_abort_min 10 KB
quick_abort_max 50 KB
quick_abort_pct 97
negative_ttl 1 minutes
negative_dns_ttl 1 minutes
connect_timeout 1 minutes
read_timeout 2 minutes
request_timeout 30 seconds
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/255.255.255.0
acl localdomain srcdomain .mydomain
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 4443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563 4443        # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager localnet
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny !localdomain
http_access allow localnet
http_access deny all
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr postmaster@mydomain
logfile_rotate 0
memory_pools off
forwarded_for off
cachemgr_passwd mypass shutdown config
cachemgr_passwd none all
always_direct allow all
coredump_dir /var/cache/squid

The point is I use just "transparent" option on http_port and use DNAT to redirect outgoing traffic on TCP port 80 to squid (my case 8080).
Back to top
View user's profile Send private message
maiku
Guru
Guru


Joined: 24 Mar 2004
Posts: 500
Location: Long Island, NY

PostPosted: Sat Nov 11, 2006 7:56 pm    Post subject: Reply with quote

The bottom line is what I was curious about. I'm not sure on the difference between a transparent proxy and an HTTP accelerator.
_________________
- Mike A. Leonetti
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum