Dear Amos,
Thank you very much for your detail analysis.I have tried to understood and implemented whatever u have told .However i have few more queries.
1. Best way to move from ufs to aufs? Specially in my scenario.
2. I think the setting you told about splitting of ftpmp3 will now block both FTP protocol and mp3 as well. as different from the original settings where only that ftp sites were blocked that contained mp3s? Am i right.
3. My acls that contained time were not working can u see any problem in order or anything. (i have optimized them according to your suggestions but do they also solve the problem of logic as well)
4. Is there a way to block torrentz & rapidshare?
5. I am currently working on squid3 package (stable) that defaults with Ubuntu 8.04 LTS. Should i move to 3.0.STABLE24 and how to do that with best ease without having to do all the reconfigurations. The default version have a capacity to startup automatically with system boot. Would the version i install will also have the same capacity.
6. With which user Squid should be running the default proxy is ok i am running it with default. (Only i have given read+write+execute permissions on the folder /etc/squid3 ** var/log/squid3 to everyone and its working. Is it good enough or its risky.
Best Regards,
Bilal Aslam
----------------------------------------
> Date: Thu, 11 Mar 2010 01:47:29 +1300
> From: squid3_at_treenet.co.nz
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Images are not loading properly into web pages. (not sure about my cache settings)
>
> GIGO . wrote:
>> Dear All,
>>
>> I am facing this problem that images are not loading properly into web pages. The clients that are directly on ISA are having better expereince of net browsig then Squid with cache. (Its response is slow).
>>
>> Something to do with my cache settings??
>>
>> Further information : I have four(4) Gb of physical ram on my server (ubuntu 8.04 LTS). With Physical Raid 1 implemented on IBM 3650 X series. Default Partition Scheme of Ubunutu (Without LVM) is applied.
>>
>>
>> please guide me about it.
>>
>> regards,
>>
>> Bilal
>>
>> My Squid.conf File
>>
>> visible_hostname 10.1.82.53
>> cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query
>> http_port 10.1.82.53:3128
>> never_direct allow all
>> cache_effective_user proxy
>> cache_mgr bilal.aslam_at_mcb.com.pk
>> coredump_dir /var/sppol/squid3
>> cache_dir ufs /var/squidcache 50000 16 256
>
> Problem #1: ufs filesystem is slowest available. Use aufs on Linux.
>
>> cache_swap_low 75
>> cache_mem 1000 MB
>> maximum_object_size 195 MB
>> minimum_object_size 12 bytes
>> cache_replacement_policy lru
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl localServers dst 10.1.82.0/24 10.1.80.0/24 10.1.245.0/24
>> #acl localServers dstdomain .bla.bla.com
>> no_cache deny LocalServers
>
> Problem #2: "no_cache" is obsolete.
>
> The above means prevent caching of LocalServers responses.
> ie:
> cache deny LocalServers
>
>
>> acl Query urlpath_regex cgi-bin \?
>> cache deny Query
>> hierarchy_stoplist cgi-bin ?
>
> Problem #3: dynamic web objects are extremely common these days and a
> large portion are cacheable. Maybe the stuff you want cached has a ? in it.
> Remove the "Query" ACL and rules.
>
>>
>> acl manager proto cache_object
>> http_access allow manager
>> http_access deny manager
>> acl OverConnLimit maxconn 10
>> http_access deny OverConnLimit
>
> Note: capping connection limits is known to cause noticeable slowdown
> for clients. The more parallel requests that can be down the faster
> large multi-object pages download (sites like www.cnn.com with it's
> legendary 480+ front-page objects [they have improved now]). It's up to
> you though.
>
>
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> http_access allow localhost
>>
>> acl SSL_ports port 443 #https
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> acl FcUsr src "/etc/squid3/FcUsr.conf"
>> acl PUsr src "/etc/squid3/PUsr.conf"
>> acl RUsr src "/etc/squid3/RUsr.conf"
>> acl Working_hours time MTWHF 09:00-17:00
>> acl inlunchbreak time 13:00-14:30
>> ####----Definitions for BlockingRules----#####
>> ###Definition of MP3/MPEG
>> acl FTPMP3 url_regex -i ^ftp://.*\.mp3$
>
> Sometimes like this its faster to spit that into two ACLs...
>
> acl FTP proto FTP
> acl MP3url urlpath_regex \.mp3(\?.*)?$
>
> http_accesss ... FTP MP3url
>
>> acl Movies rep_mime_type video/mpeg
>> acl MP3s rep_mime_type audio/mpeg
>>
>> ###Definition of Flash Video
>> acl deny_rep_mime_flashvideo rep_mime_type video/flv
>> ###Definition of Porn
>> acl Sex urlpath_regex sex
>> acl PornSites url_regex "/etc/squid3/pornlist"
>>
>> ####Definition of YouTube.
>> ## The videos come from several domains
>> acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
>> ###Definition of FaceBook
>> acl facebook_sites dstdomain .facebook.com
>>
>> #### Definition of MSN Messenger
>> acl msn urlpath_regex -i gateway.dll
>> acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
>> acl msn1 req_mime_type application/x-msn-messenger
>>
>> ####Definition of Blockig Skype
>> acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
>> acl Skype_UA browser ^skype^
>> ##Definition of Yahoo! Messenger
>> acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
>> acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
>> acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
>> acl ym dstdomain .voice.yahoo.com
>> acl ymregex url_regex yupdater.yim ymsgr myspaceim
>> ## Other protocols Yahoo!Messenger uses ??
>> acl ym dstdomain .skype.com .imvu.com
>> ###Disallowing download of executables from web#####
>> acl downloads url_regex "/etc/squid3/download.conf"
>>
>> ###---------------------------------------------########
>> http_access deny PornSites RUsr
>> http_access deny PornSites PUsr
>> http_access deny Sex RUsr
>> http_access deny Sex PUsr
>> http_access deny msnd PUsr
>> http_access deny msnd RUsr
>> http_access deny msn PUsr
>> http_access deny msn RUsr
>> http_access deny msn1 PUsr
>> http_access deny msn1 RUsr
>> http_access deny numeric_IPs PUsr
>> http_access deny numeric_IPs RUsr
>> http_access deny Skype_UA PUsr
>> http_access deny Skype_UA RUsr
>> http_access deny ym RUsr
>> http_access deny ym PUsr
>> http_access deny ymregex RUsr
>> http_access deny ymregex PUsr
>> #----Most Restricted settings Exclusive for Normal users......#
>> http_reply_access deny Movies RUsr
>> http_reply_access deny MP3s RUsr
>> http_access deny FTPMP3 RUsr
>
> http_access deny FTP MP3url
>
>> http_reply_access deny deny_rep_mime_flashvideo RUsr
>> http_access deny youtube_domains RUsr
>> http_access deny facebook_sites RUsr
>> http_access deny downloads RUsr
>> http_access allow youtube_domains inlunchbreak PUsr
>> http_access allow facebook_sites inlunchbreak PUsr
>> http_access deny youtube_domains PUsr Working_hours
>> http_access deny facebook_sites PUsr Working_hours
>> http_access allow FcUsr
>> http_access allow PUsr
>> http_access allow RUsr
>> http_access deny all
>>
>
> As a general rule-of-thumb for better speed place the faster ACL first
> on each line and the slowest at the end. For Squid remote lookups is
> _the_ slowest around, with regex a close second.
>
> This is a rough estimate of the order (top== fastest) of speed of your
> ACL types:
>
> src / port / proto / method
> dstdomain / time
> urlpath_regex / rep_mime_type / req_mime_type
> url_regex / browser
>
>
> To speed your Squid up you need a lot of access line changes like this one:
>
> before optimizing:
> http_access allow youtube_domains inlunchbreak PUsr
>
> after optimizing:
> http_access allow PUsr inlunchbreak youtube_domains
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24
> Current Beta Squid 3.1.0.17
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
Received on Wed Mar 10 2010 - 14:51:04 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 11 2010 - 12:00:06 MST