Hello Amos,
Is this configuration is normally for large ISP provider ?
Saturday, July 25, 2009, 6:12:40 AM, you wrote:
> Farhad Ibragimov wrote:
>> Hello Squid-users,
>>
>> Dear Squid Guru
>>
>> I am install new squid 3 days ago . The version is 3.0 15 . The
>> problem is that i don't see TCP_HIT (only TCP_MISS) in access log file .
>> Configuration file is attached . Please help
>>
>>
>>
>> # WELCOME TO SQUID 3.0.STABLE15
>> # ----------------------------
>> http_port 3128 transparent
>> cache_mem 1024 MB
>> minimum_object_size 2048 KB
> ?? looks like your problem. Most of the web traffic you will ever see is
> under 2 MB big.
> Average size is somewhere between 32KB and 128KB depending on your clients.
> ... more point to follow....
>> icp_port 0
>> wccp2_router 85.132.32.20
>> visible_hostname "url..."
>> url_rewrite_children 20
>> cache_dir ufs /cache 6000 16 256
>> cache_swap_low 90
>> cache_swap_high 95
>> allow_underscore on
>> request_header_max_size 128 KB
> Please do NOT raise this above 64KB in Squid 3.0!
> There are a very large number of remote DDoS vulnerabilities that opens
> up. The default for each squid version is kept at the largest safe value
> we can be sure of.
>> client_persistent_connections on
>> server_persistent_connections on
>> maximum_object_size_in_memory 50 KB
>> cache_replacement_policy heap LFUDA
>> maximum_object_size 50 MB
>> ######LOG################
>> access_log /var/squid/logs/access.log squid
>> cache_log /var/squid/logs/cache.log
>> cache_store_log /var/squid/logs/store.log
>> ###############################
>> cache_mgr "mail address"
>> httpd_suppress_version_string on
>> # SNMP OPTIONS
>> # -----------------------------------------------------------------------------
>> #snmp_port 1161
>> #snmp_access allow snmppublic localhost
>> #snmp_access deny all
>> cache_effective_user squid
>> cache_effective_group squid
>> ###############################################################
>> acl dayaz dstdomain .day.az
>> always_direct allow dayaz
>> ###############################################################
>> refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
>> refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
>>
>> #refresh_pattern ^ftp: 1440 20% 10080
>> #refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern (cgi-bin|\?) 0 0% 0
>> #refresh_pattern . 0 20% 4320
> Please do not alter the four above. They ensure that your cache is not
> vulnerable to cache poisoning attacks or committing them against other
> caches.
>>
>> # ACCESS CONTROLS
>> ##############################################################
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>>
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> #
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # TAG: http_access
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> #http_access allow localnet
> Something has gone wrong. The above line commented out prevents local
> networks from being serviced by this Squid.
> I would expect this config to show constant TCP_MISS:DENIED in access.log.
>>
>> http_access deny all
>>
>> icp_access deny all
>> htcp_access deny all
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> # TAG: debug_options
>> # Logging options are set as section,level where each source file
>> # is assigned a unique section. Lower levels result in less
>> # output, Full debugging (level 9) can result in a very large
>> # log file, so be careful. The magic word "ALL" sets debugging
>> # levels for all sections. We recommend normally running with
>> # "ALL,1".
>> #
>> #Default:
>> # debug_options ALL,1
>>
>> icp_port 0
>> htcp_port 0
>> log_icp_queries off
>>
>> allow_underscore on
>>
>> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
>> #wccp_version 4
>> # wccp2_rebuild_wait on
>> # wccp2_forwarding_method 1
>> # wccp2_return_method 1
>> # wccp2_assignment_method 1
>> # wccp2_service standard 0
>> # wccp2_weight 10000
>> # wccp_address 0.0.0.0
>> # wccp2_address 0.0.0.0
>>
>> # ERROR PAGE OPTIONS
>> # -----------------------------------------------------------------------------
>> # error_directory /squid/share/errors/templates
>> email_err_data on
>>
>> client_db on
>> coredump_dir /var/squid/cache
> Amos
-- Best regards, Farhad mailto:inara.ibragimova_at_gmail.comReceived on Sat Jul 25 2009 - 20:18:57 MDT
This archive was generated by hypermail 2.2.0 : Sun Jul 26 2009 - 12:00:04 MDT