>
>> I am working on a "active-active" firewall for a customer. It will be
>> two
>
> How did my thread remind you of this? :).
>
> By the way, my currently is a multi-web server setup with a dual LVS front
> end. Once I finally get squid working as a reverse, the idea is to put a
> couple of load balanced squid servers in front of the web servers to
> better
> maximize. I figure squid should be able to provide way more performance
> than
> adding more web servers for a while.
>
> Anyhow, re-installed squid and using default config, have it working as a
> reverse for the main site. It's not yet serving up the virtual hosts
> however.
>
> This is what I've got now that it's rebuilt and I'm reading about the
> various options.
>
> #Recommended minimum configuration:
> cache_mgr www.mydomain.com
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> acl our_sites dstdomain www.mydomain.com
The above acl determines what websites are hosted on the peer server and
are allowed back. For virtual hosts on that server, list each domain in
this ACL.
By starting a domain with '.' means that domain and all child domains are
matched. So "acl our_sites dstdomain .example.com" will pass
www.example.com www3.example.com and anything.example.com back to the peer
web server.
>
> http_port 80 accel defaultsite=www.mydomain.com vhost
>
> cache_peer 192.168.1.93 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> #Guessing my problem is in the following section since I've never been
> much
> good at ACL's.
>
> http_access allow our_sites
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> icp_access allow all
>
> #We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> cache_mem 2048 MB
cache_mem is the amount of memory-only cache space to allocate. NOT the
RAM limits used by Squid. Change carefully.
>
> # maximum_object_size_in_memory 8 KB
> # memory_replacement_policy lru
>
> cache_dir ufs /var/spool/squid 40100 16 256
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
The store.log is a general drag on performance, unless you need it for a
particular process use:
cache_store_log none
> coredump_dir /var/spool/squid
>
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
>
> broken_vary_encoding allow apache
> cache deny QUERY
Remove the lines above containing "QUERY".
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
Add here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
Amos
Received on Mon Apr 06 2009 - 03:20:49 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 07 2009 - 12:00:02 MDT