Re: [squid-users] Squid reverse proxy with cache.

From: Morgan Storey <me_at_morganstorey.com>
Date: Tue, 29 Mar 2011 18:52:00 +1100

I think I am already using it;

I have also played with the cache control setting in IIS, I get the below if
I wget the index on the webserver:

Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: public, max-age=5,stale-while-revalidate=600,
stale-if-error=36000
Set-Cookie: ASP.NET_SessionId=fdlkjayuf98dsfgnkjdsl7; path=/; HttpOnly
Cache-Control: private

2011/3/29 George Halkias <admin_at_atcom.gr>:
> Use stale-if-error cache directive!
>
> http://www.mnot.net/blog/2007/12/12/stale
>
> -----Original Message-----
> From: Morgan Storey [mailto:me_at_morganstorey.com]
> Sent: Tuesday, March 29, 2011 10:42 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid reverse proxy with cache.
>
> Anyone got any other ideas on why this isn't delving into the cache
> when the backend server is down?
>
> On Tue, Mar 22, 2011 at 10:37 AM, Morgan Storey <me_at_morganstorey.com> wrote:
>> Thanks Amos I tried your suggestions, still no good when the webserver
>> is offline. I get only a single line in the cache.log "2011/03/22
>> 10:28:50| TCP connection to myAccel (10.0.0.18:80) failed"
>> I have put the squid.conf in the email to make corrections easier (I
>> have tried that offline mode on but it doesn't seem to work);
>>
>> dns_nameservers 10.0.0.2 10.0.0.1
>>
>> cache_dir ufs d:/cache 8000 100 256
>> cache_mem 512 MB
>> maximum_object_size_in_memory 10240 KB
>>
>> access_log e:/squidlogs/access.log squid
>> cache_log e:/squidlogs/cache.log
>> cache_store_log e:/squidlogs/store.log
>> logfile_rotate 10
>>
>>
>> acl all src all
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>> acl localnet src all    # RFC1918 possible internal network
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 443         # https
>> acl CONNECT method CONNECT
>>
>> ##############################################################
>>
>> http_port 80 accel defaultsite=www.site.com vhost
>>
>> #                                        proxy  icp
>> #          hostname             type     port   port  options
>> #          -------------------- -------- ----- -----  -----------
>> cache_peer 10.0.0.18 parent 80 0 no-query originserver name=myAccel
>>
>>
>> acl our_sites dstdomain www.site.com
>> forwarded_for on
>>
>> http_access allow our_sites
>> cache_peer_access myAccel allow our_sites
>> cache_peer_access myAccel deny all
>>
>> cache_effective_group proxy
>>
>> ##############################################################
>>
>> #
>> #Allow ICP queries from All
>> icp_access allow all
>>
>> #  TAG: max_stale       time-units
>> #       This option puts an upper limit on how stale content Squid
>> #       will serve from the cache if cache validation fails.
>> #
>> #Default:
>> max_stale 1 week
>>
>> #Suggested default:
>> #refresh_pattern ^ftp:          1440    20%     10080
>> #refresh_pattern ^gopher:       1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern -i (/umbraco/|\?) 0     0%      0
>> refresh_pattern .               120     20%     4320
>>
>> acl QUERY urlpath_regex umbraco \?
>> acl POST method POST
>> no_cache deny QUERY
>> no_cache deny POST
>>
>> # TIMEOUTS
>> forward_timeout 15 seconds
>>
>> # Do not tell the world that which squid version we're running
>> httpd_suppress_version_string on
>>
>> # Remove the Caching Control header for upstream servers
>> header_access Cache-Control deny all
>>
>> cache_mgr someone_at_somewhere.com
>>
>> #offline_mode on
>>
>>
>> On Mon, Mar 21, 2011 at 10:26 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> On 21/03/11 21:44, Morgan Storey wrote:
>>
>>> Some notes on those configs:
>>>
>>> (squid1)
>>>  * You can deny CONNECT entirely. It should never happen to a reverse-proxy.
>>> They get native HTTPS connections to their https_port.
>>>
>>>  * Your reverse-proxy settings, for cache_peer and the related http_access
>>> rule MUST be above the default forward-proxy rules. Since this appears to be
>>> a pure reverse-proxy you can drop the default config file http_access lines
>>> entirely.
>>>  NP: do that and I believe your Squid will stop needing to wait for DNS. It
>>> only uses it now to check the localnet ACL :)
>>>
>>>  * header_access is not a very safe thing to do for Squid-2. It affects both
>>> the client request headers passed to your main server AND the reply headers
>>> destined for the visitor.
>>>  refresh_pattern flag "reload-into-ims" is much safer and helps avoid the
>>> forced reload clients sometimes send.
>>>
>>> (squid2)
>>>  * you are missing the http_access reverse-proxy settings. squid1 was
>>> better.
>>>
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE9 or 3.1.11
>>>  Beta testers wanted for 3.2.0.5
>>>
>>
>
Received on Tue Mar 29 2011 - 07:52:08 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 29 2011 - 12:00:02 MDT