Squid sostoit iz - osnovnoj programmy squid, programmy obrabotki DNS zaprosov dnsserver, programmy skachivaniya ftp dannyh ftpget, a takzhe nekotoryh instrumentov upravleniya. Kogda squid zapuskaetsya, on zapuskaet zadannoe chislo dnsserver-ov, kazhdyj iz kotoryh rabotaet samostoyatel'no, blokiruya tol'ko DNS zaprosy. Takim obrazom umen'shaetsya obshchee vremya ozhidaniya otveta DNS.
Squid beret svoe nachalo s osnovannogo ARPA proekta Harvest. http://harvest.cs.colorado.edu/
Nam nuzhno bylo kak-to otlichat'sya ot kesha Harvest. Squid bylo kodovoe nazvanie na nachal'noj stadii razrabotki, a potom ono priliplo.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.š See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Pozhalujsta shlite ispravleniya, obnovleniya i kommentarii na: squid-faq@nlanr.net.
% gzip -dc squid-x.y.z-src.tar.gz | tar xvf -
Zatem nuzhno otkonfigurirovat', otkompilirovat' i ustanovit'
% cd squid-x.y.z
% ./configure
% make all
% make install
Luchshe vsego ispol'zovat' GNU C (gcc) kompilyator. Poslednie versii imeyut format ANSI C, tak chto starye kompilyatory mogut ne rabotat'. GNU C kompilyator dostupen na ftp://prep.ai.mit.edu/pub/gnu/. Mozhno zadat' neskol'ko parametrov konfiguracionnogo skripta. Naibolee poleznyj --prefix dlya ustanovki v druguyu direktoriyu. Po umolchaniyu eto /usr/local/squid.CHtoby pomenyat' sleduet sdelat' sleduyushchee:
% cd squid-x.y.z
% ./configure --prefix=/some/other/directory/squid
/usr/local/squid/bin/RunCache &
% client http://www.netscape.com/ > test
Sushchestvuyut i drugie HTTP programmy-klienty rabotayushchie v komandnoj stroke. |ti dve Vy mozhete najti poleznymi:url_get, po adresu ftp://ftp.pasteur.fr/pub/Network/url_get/, iechoping, po adresu ftp://ftp.pasteur.fr/pub/Network/echoping/. Takzhe prover'te naibolee vazhnye fajly access.log icache.log.
ššš cd squid-1.1.x ššš patch < /tmp/fixes.patch No vremya ot vremeni mogut popadat'sya patchi sozdannye iz direktorii 'src', togda nuzhno:
ššš cd squid-1.1.x/src ššš patch < /tmp/fixes.patch Esli programma patch budet chem-to nedovol'na i budet otkazyvat'sya rabotat' nado budet vzyat' bolee novuyu versiyu, naprimer zdes' GNU FTP site.š
Naprimer, privedennyj nizhesquid.conf na childcache.example.com skonfigurirovan tak, chto ego kesh poluchaet dannye s odnogo roditel'skogo i s dvuh bratskih keshej:
ššššššš #š squid.conf - On the host: childcache.example.com ššššššš # ššššššš #š Format is: hostnameš typeš http_portš udp_port ššššššš # ššššššš cache_host parentcache.example.comšš parentš 3128 3130 ššššššš cache_host childcache2.example.comšš sibling 3128 3130 ššššššš cache_host childcache3.example.comšš sibling 3128 3130Direktiva cache_host_domain pozvolyaet ukazyvat' dlya kazhdogo domena kak bratskij, tak i roditel'skij kesh:
ššššššš #š squid.conf - On the host: sv.cache.nlanr.net ššššššš # ššššššš #š Format is: hostnameš typeš http_portš udp_port ššššššš # ššššššš cache_host electraglide.geog.unsw.edu.au parent 3128 3130 ššššššš cache_host cache1.nzgate.net.nzššššššššš parent 3128 3130 ššššššš cache_host pb.cache.nlanr.netšš parent 3128 3130 ššššššš cache_host it.cache.nlanr.netšš parent 3128 3130 ššššššš cache_host sd.cache.nlanr.netšš parent 3128 3130 ššššššš cache_host uc.cache.nlanr.netšš sibling 3128 3130 ššššššš cache_host bo.cache.nlanr.netšš sibling 3128 3130 ššššššš cache_host_domain electraglide.geog.unsw.edu.au .au ššššššš cache_host_domain cache1.nzgate.net.nzšš .au .aq .fj .nz ššššššš cache_host_domain pb.cache.nlanr.netšššš .uk .de .fr .no .se .it ššššššš cache_host_domain it.cache.nlanr.netšššš .uk .de .fr .no .se .it ššššššš cache_host_domain sd.cache.nlanr.netšššš .mx .za .mu .zmVysheprivedennaya konfiguraciya opisyvaet, chto kesh budet ispol'zovat' pb.cache.nlanr.net i it.cache.nlanr.net dlya domenov uk, de, fr, no, se i it, sd.cache.nlanr.net dlya domenov mx, za, mu i zm, i cache1.nzgate.net.nz dlya domenov au, aq, fj, i nz.
cache_announce 24 announce_to sd.cache.nlanr.net:3131 Primechanie: anonsirovanie kesha eto ne tozhe samoe chto vstuplenie v ierarhiyu NLANR. Vy mozhete vstupit' v ierarhiyu NLANR bez registracii, i mozhno zaregistrirovat'sya bez vstupleniya v ierarhiyu keshej NLANR.
Uskoritel' keshiruet prihodyashchie zaprosy dlya ishodyashchih dannyh (naprimer, teh chto Vy opublikovali na svoem servere). Tem samym on zabiraet zagruzku s Vashego HTTP servera i vnutrennej seti. Vy ubiraete server s 80 porta (ili kakoj on u Vas tam), i podstavlyaete uskoritel', kotoryj probrasyvaet HTTP dannye s "real'nogo" HTTP servera (tol'ko uskoritel' dolzhen znat' gde real'nyj server). Vneshnij mir ne vidit ni kakoj raznicy (krome razve uvelicheniya skorosti dostupa).
Krome razgruzki real'nogo web servera, uskoritel' mozhet nahodit'sya snaruzhi brandmauera ili lyubogo drugogo uzkogo mesta v seti i obshchat'sya s HTTP serverami vnutri, umen'shaya traffik cherez uzkoe mesto i uproshchaya konfiguraciyu. Dva ili bolee uskoritelya soedinennye cherez ICP mogut uvelichit' skorost' i ustojchivost' web servera k lyubomu odinochnomu sboyu.
Redirektor Squid mozhet zastavit' uskoritel' rabotat' kak odnu svyaznuyu mashinu dlya neskol'kih serverov. Esli Vam nuzhno perenesti chasti Vashej fajlovoj sistemy s odnogo servera na drugoj, ili esli otdel'no administriruemye HTTP servera dolzhny logicheski poyavlyat'sya pod edinoj URL ierarhiej, uskoritel' sdelaet eto.
Esli Vy hotite lish' keshirovat' "ostal'noj mir" dlya uvelicheniya effektivnosti dostupa lokal'nyh pol'zovatelej v Internet, to rezhim uskoritelya sleduet otklyuchit'. Kompanii, kotorye derzhat svoj web-server ispol'zuyut uskoritel' dlya povysheniya effektivnosti dostupa k nemu. Te zhe, komu vazhen effektivnyj dostup lokal'nyh pol'zovatelej v Internet ispol'zuyut keshiruyushchij proksi. Mnogie, i my v tom chisle pol'zuyutsya i tem i etim.
Sravnenie kesha Squid i ego analoga Harvest pokazyvaet uvelichenie na poryadok proizvoditel'nosti pervogo po sravneniyu s CERN i drugimi shiroko rasprostrannenymi keshiruyushchimi programmami. |to preimushchestvo pozvolyaet keshu rabotat' kak httpd uskoritelyu, keshu skonfigurirovannomu kak glavnyj web-server (na 80 portu), perenapravlyaya nepravil'nye ssylki na real'nyj httpd (na 81 port).
V takoj konfiguracii administrator web uzla perenosit vse ne podlezhashchie keshirovaniyu URL na 81 port httpd. Kesh obsluzhivaet ssylki na keshiruemye ob®ekty, takie kak HTML stranicy i GIF-y, a real'nyj httpd (na 81 portu) - vse nekeshiruemye, naprimer zaprosy i cgi-bin programmy. Esli pol'zovanie serverom napryamuyu zavisit ot keshiruemyh ob®ektov, to takaya konfiguraciya mozhet sushchestvenno snizit' zagruzku web-servera.
Pri etom pomnite, chto luchshe vsego ne zapuskat' squid kak httpd-uskoritel' i kak keshiruyushchij proksi odnovremenno, tak kak oni imeyut razlichnye rabochie rezhimy. Bolee vysokuyu proizvoditel'nost' Vy poluchite zapuskaya ih na raznyh mashinah. Vse zhe Squid mozhet odnovremenno rabotat' i kak httpd-uskoritel' i kak keshiruyushchij proksi, esli naprotiv httpd_accel_with_proxy Vy postavite on v svoem squid.conf.
Nuzhno vospol'zovat'sya direktivoj inside_firewall v squid.conf chtoby zadat' spisok vnutrennih po otnosheniyu k brandmaueru domenov. Naprimer:
inside_firewall example.com
Mozhno zadat' neskol'ko:
inside_firewall example.com example.org example.net
Ispol'zovanie inside_firewall privodit k dvum putyam vybora servera. Ob®ekty ne podpadayushchie ni pod odin iz perechislennyh domenov budut rassmatrivat'sya vne brandmauera. Dlya etogo zhe sluchaya:
Poetomu ochen' vazhno chtoby bylo dostatochno dnsserver processov chtoby obrabotat' kazhdoe obrashchenie, v protivnom sluchaesquid mozhet neozhidanno povisat'. Na praktike nado opredelit' maksimal'noe chislo dnsserver-ov, kotorye mogut ponadobit'sya squid, i dobavit' eshche dva na vsyakij sluchaj. Drugimi slovami, esli Vy videli v rabote tol'ko tri dnsserver processa, ostav'te kak minimum pyat'. I pomnite, chtodnsserver malen'kij i pri prostoe osobo ne zagruzhaet sistemu.
CHtoby pol'zovat'sya socks5, ne trebuetsya nikak izmenenij koda Squid. Vse chto nado, eto dobavit' stroku -Dbind=SOCKSbind etc v stroku kompilyacii i -lsocks v stroku linkov.
Zdes' vid ekrana ruchnoj nastrojki proksi Netscape Navigator.
Zdes' vid ekrana avtomaticheskoj nastrojki proksi Netscape Navigator. Vy takzhe mozhete obratit'sya k dokumentacii Netscape po sisteme konfiguracii proksi Navigator pri pomoshchi JavaScript po adresu http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
Zdes' primer avtokonfiguracii na JavaScript ot Oskar Pearson:
//We (www.is.co.za) run a central cache for our customers that they
//access through a firewall - thus if they want to connect to their intranet
//system (or anything in their domain at all) they have to connect
//directly - hence all the "fiddling" to see if they are trying to connect
//to their local domain.
//Replace each occurrence of company.com with your domain name
//and if you have some kind of intranet system, make sure
//that you put it's name in place of "internal" below.
//We also assume that your cache is called "cache.company.com", and
//that it runs on port 8080. Change it down at the bottom.
//(C) Oskar Pearson and the Internet Solution (http://www.is.co.za)
ššš function FindProxyForURL(url, host)
ššššššš {
ššššššššššš //If they have only specified a hostname, go directly.
ššššššššššš if (isPlainHostName(host))
ššššššššššššššššššš return "DIRECT";
ššššššššššš //These connect directly if the machine they are trying to
ššššššššššš //connect to starts with "intranet" - ie http://intranet
ššššššššššš //Connectš directly if it is intranet.*
ššššššššššš //If you have another machine that you want them to
ššššššššššš //access directly, replace "internal*" with that
ššššššššššš //machine's name
ššššššššššš if (shExpMatch( host, "intranet*")||
ššššššššššššššššššššššššššš shExpMatch(host, "internal*"))
ššššššššššššššš return "DIRECT";
ššššššššššš //Connect directly to our domains (NB for Important News)
ššššššššššš if (dnsDomainIs( host,"company.com")||
ššššššššššš //If you have another domain that you wish to connect to
ššššššššššš //directly, put it in here
ššššššššššššššššššššššššššš dnsDomainIs(host,"sistercompany.com"))
ššššššššššššššš return "DIRECT";
ššššššššššš //So the error message "no such host" will appear through the
ššššššššššš //normal Netscape box - less support queries :)
ššššššššššš if (!isResolvable(host))
ššššššššššššššššššš return "DIRECT";
ššššššššššš //We only cache http, ftp and gopher
ššššššššššš if (url.substring(0, 5) == "http:" ||
ššššššššššššššššššššššššššš url.substring(0, 4) == "ftp:"||
ššššššššššššššššššššššššššš url.substring(0, 7) == "gopher:")
ššššššššššš //Change the ":8080" to the port that your cache
ššššššššššš //runs on, and "cache.company.com" to the machine that
ššššššššššš //you run the cache on
ššššššššššššššššššš return "PROXY cache.company.com:8080; DIRECT";
ššššššššššš //We don't cache WAIS
ššššššššššš if (url.substring(0, 5) == "wais:")
ššššššššššššššššššš return "DIRECT";
ššššššššššš else
ššššššššššššššššššš return "DIRECT";
ššššššš }
% setenv http_proxy http://mycache.example.com:3128/
% setenv gopher_proxy http://mycache.example.com:3128/
% setenv ftp_proxy http://mycache.example.com:3128/
Dlya Lynx nastrojki proksi mozhno sdelat' v fajle lynx.cfg. Pri takoj nastrojke vse pol'zovateli Lynx smogut pol'zovat'sya proksi bez dopolnitel'nogo zadaniya okruzheniya dlya kazhdogo pol'zovatelya. Naprimer:
ššššššš http_proxy:http://mycache.example.com:3128/ ššššššš ftp_proxy:http://mycache.example.com:3128/ ššššššš gopher_proxy:http://mycache.example.com:3128/
Zdes' vid ekrana nastrojki proksi Internet Explorer.
Microsoft takzhe sobiraetsya podderzhivat' kak u Netscape avtomaticheskuyu nastrojku proksi cherez JavaScript. Sejchas, tol'ko MSIE versii 3.0a dlya Windows 3.1 i Windows NT 3.51 podderzhivaet etu vozmozhnost' (naprimer, v versii 3.01 build 1225 dlya Windows 95 i NT 4.0, ee net).
Esli Vasha versiya MSIE podderzhivaet takuyu vozmozhnost', vyberite Options iz menyu View. SHCHelknite na zakladke Advanced i v levom nizhnem uglu shchelknite na knopke Automatic Configuration. Vpishite URL Vashego fajla JavaScript. Potom perezapustite MSIE. MSIE budet pereschityvat' fajl JavaScript kazhdyj raz pri zapuske.
Vid ekrana prilagaetsya.
V etom zhe okne est' knopka vyzyvayushchaya okno isklyuchenij, gde mozhno zadat' hosty ili domeny, kotrye ne nado keshirovat'. Zdes' vid ekrana.
Warning: this technique has several significant shortcomings!
ššš # ššš # Code maturity level options ššš # ššš CONFIG_EXPERIMENTAL=y ššš # ššš # Networking options ššš # ššš CONFIG_FIREWALL=y ššš # CONFIG_NET_ALIAS is not set ššš CONFIG_INET=y ššš CONFIG_IP_FORWARD=y ššš # CONFIG_IP_MULTICAST is not set ššš CONFIG_IP_FIREWALL=y ššš # CONFIG_IP_FIREWALL_VERBOSE is not set ššš CONFIG_IP_MASQUERADE=y ššš CONFIG_IP_TRANSPARENT_PROXY=y ššš CONFIG_IP_ALWAYS_DEFRAG=y ššš # CONFIG_IP_ACCT is not set ššš CONFIG_IP_ROUTER=yZdes' http://www.xos.nl/linux/ipfwadm/ voz'mite ishodniki ipfwadm i ustanovite ego. Ipfwadm ponadobitsya dlya zadaniya pravil perenapravleniya. YA dobavil eti pravila v skript zapuskaemyj iz /etc/rc.d/rc.inet1 (Slackware) kotoryj ustanavlivaet interfejs v moment zagruzki. Perenapravlenie dolzhno byt' zaversheno do zadaniya lyubyh vhodnyh pravil. CHtoby ubedit'sya, chto eto rabotaet ya otklyuchil forwarding (masquerading).
/etc/rc.d/rc.firewall:
#!/bin/sh
# rc.firewall Linux kernel firewalling rules
FW=/sbin/ipfwadm
# Flush rules, for testing purposes
for i in I O F # A # If we enabled accouting too
do
${FW} -$i -f
done
# Default policies:
${FW} -I -p rej # Incoming policy: reject (quick error)
${FW} -O -p acc # Output policy: accept
${FW} -F -p den # Forwarding policy: deny
# Input Rules:
# Loopback-interface (local access, eg, to local nameserver):
${FW} -I -a acc -S localhost/32 -D localhost/32
# Local Ethernet-interface:
# Redirect to Squid proxy server:
${FW} -I -a acc -P tcp -D default/0 80 -r 80
# Accept packets from local network:
${FW} -I -a acc -P all -S localnet/8 -D default/0 -W eth0
# Only required for other types of traffic (FTP, Telnet):
# Forward localnet with masquerading (udp and tcp, no icmp!):
${FW} -F -a m -P tcp -S localnet/8 -D default/0
${FW} -F -a m -P udp -S localnet/8 -D default/0
Ves' traffik lokal'noj seti s lyubym adresom naznacheniya perenapravlyaetsya na lokal'nyj 80 port. Pravila mozhno posmotret' i oni budut vyglyadet' kak-to tak:
ššš IP firewall input rules, default policy: reject ššš typeš prot sourcešššššššššššššš destinationššššššššš ports ššš accšš allš 127.0.0.1ššššššššššš 127.0.0.1ššššššššššš n/a ššš acc/r tcpš 10.0.0.0/8šššššššššš 0.0.0.0/0ššššššššššš * -> 80 => 80 ššš accšš allš 10.0.0.0/8šššššššššš 0.0.0.0/0ššššššššššš n/a ššš accšš tcpš 0.0.0.0/0ššššššššššš 0.0.0.0/0ššššššššššš * -> *Zdes' vazhnye ustanovki v squid.conf:
ššš http_portšššššššššššššš 80 ššš icp_portššššššššššššššš 3130 ššš httpd_accelšššššššššššš virtual 80 ššš httpd_accel_with_proxyš onVnimanie, virtual eto magicheskoe slovo zdes'!
YA protestiroval na Windows 95 kak s Microsoft Internet Explorer 3.01 tak i Netscape Communicator i eto rabotaet s oboimi s otklyuchennymi ustanovkami proksi.
Odin raz squid kazhetsya zaciklilsya kogda ya ukazal brauzeru na lokal'nyj 80 port. No etogo mozhno izbezhat' dobaviv stroku:
ššš ${FW} -I -a rej -P tcp -S localnet/8 -D dec/32 80
ššš IP firewall input rules, default policy: reject
ššš typeš prot sourcešššššššššššššš destinationššššššššš ports
ššš accšš allš 127.0.0.1ššššššššššš 127.0.0.1ššššššššššš n/a
ššš rejšš tcpš 10.0.0.0/8šššššššššš 10.0.0.1šššššššššššš * -> 80
ššš acc/r tcpš 10.0.0.0/8šššššššššš 0.0.0.0/0ššššššššššš * -> 80 => 80
ššš accšš allš 10.0.0.0/8šššššššššš 0.0.0.0/0ššššššššššš n/a
ššš accšš tcpš 0.0.0.0/0ššššššššššš 0.0.0.0/0ššššššššššš * -> *
Zamechanie o preobrazovanii imen: Vmesto togo, chtoby prosto
peredat' URL proksi, brauzer sam preobrazovyvaet ih. Udostover'tes', chto
na rabochih stanciyah propisany lokal'nye DNS servera.
Esli na brandmauere ili proksi servere rabotaet DNS server (chto yavlyaetsya horoshej ideej IMHO) pust' rabochie stancii ispol'zuyut ego.
access.log, obshchij format:
ššš Host Ident - [D/M/Yr:H:M:S TZ] "Method URL" Status Sizeaccess.log, Squid 1.0 rodnoj format:
ššš Time Elapsed Host Status/HTTP/Hier_Status Size Method URLaccess.log, Squid 1.1 rodnoj format:
ššš Time Elapsed Host Status/HTTP Size Method URL Ident Hier_Status/Hier_Hosthierarchy.log, tol'ko Squid 1.0:
ššš [D/M/Yr:H:M:S TZ] URL Hier_Status Hier_HostZdes' opisanie formata raznyh komponentov log:
kill -USR1 `cat /usr/local/squid/logs/squid.pid`
Primechanie: Stroka logfile_rotate v squid.conf delaet neobyazatel'nym ruchnoe udalenie staryh log fajlov. Prosto ustanovite znachenie logfile_rotate v zhelaemuyu velichinu. Kak tol'ko znachenie logfile_rotate budet dostignuto, staryj log budet udalen avtomaticheski. Vystavite nuzhnoe znachenie logfile_rotate i propishite v crontab posylku squid 'u signala SIGUSR1, naprimer v polnoch' kazhdogo dnya:
0 0 * * * /bin/kill -USR1 `cat /usr/local/squid/logs/squid.pid`
Edinstvennyj fajl, kotryj nel'zya udalyat' eto log, kotoryj obychno nahoditsya v pervoj cache_dir direktorii. |tot fajl soderzhiit dannye, neobhodimye dlya vosstanovleniya kesha prizapuske Squid. Udalenie etogo fajla privedet k potere kesha.
sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25
Drugoj, vozmozhno bolee prostoj, udalit' fajl log iz direktorii cache_dir.š
Posle togo kak Vy izmenili konfiguracionnye fajly servera, nuzhno ili perezapustit' web server, libo poslat' emu SIGHUP, chtoby on pereschital fajly nastrojki.
Kogda Vy zakonchite konfigurirovat' web server, to smozhete podklyuchit'sya brauzerom k kesh-menedzheru po URL:
http://www.example.com/Squid/cgi-bin/cachemgr.cgi
ššššššš Protection MGR-PROT {
šššššššššššššššš Maskššš @(workstation.example.com)
ššššššš }
Mozhno zadavat' shablonami, IP adresami, v tom chisle i cherez zapyatuyu. Vozmozhny
i drugie sposoby zashchity. Obratites' k dokumentacii po serveru.
Takzhe sleduet dobavit':
ššššššš Protectšššššššš /Squid/*ššššššš MGR-PROT ššššššš Execššššššššššš /Squid/cgi-bin/*.cgiššš /usr/local/squid/bin/*.cgichtoby otmetit' dlya MGR-PROT, chto skript vypolnyaemyj.
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/Ne sovetuem delat' ScriptAlias na vsyu direktoriyu /usr/local/squid/bin gde lezhat binarniki Squid.
Zatem, nado zadat' rabochie stancii imeyushchie dostup k kesh-menedzheru. |to zadaetsya v fajle access.conf Apache, a ne v squid.conf. V konce access.conf, vstav'te:
ššššššš <Location /Squid/cgi-bin/cachemgr.cgi> ššššššš order deny,allow ššššššš deny from all ššššššš allow from workstation.example.com ššššššš </Location>Mozhno vpisat' neskol'ko strok, mozhno dobavit' domeny ili seti.
Takzhe, cachemgr.cgi mozhet byt' zashchishchen parolem. Nado dobavit' sleduyushchie stroki v access.conf:
ššššššš <Location /Squid/cgi-bin/cachemgr.cgi> ššššššš AuthUserFile /path/to/password/file ššššššš AuthGroupFile /dev/null ššššššš AuthName User/Password Required ššššššš AuthType Basic ššššššš <Limit GET> ššššššš require user cachemanager ššššššš </Location>V dokumentacii Apache Vy najdete informaciyu ob ispol'zovanii htpasswd dlya zadaniya parolya.
ššššššš acl manager proto cache_object ššššššš acl localhost src 127.0.0.1/255.255.255.255 ššššššš acl all src 0.0.0.0/0.0.0.0So sleduyushchimi pravami:
ššššššš http_access deny manager !localhost ššššššš http_access allow allPervaya zapis' v ACL nuzhna dlya kesh-menedzhera, tak kak on dlya oprosa squid ispol'zuet special'nyj cache_object protokol. Mozhete sami poprobovat':
telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0
Po umolchaniyu, esli zapros dlya cache_object, i zapros ne s lokal'noj mashiny, to dostup budet zakryt, v protivnom sluchae - otkryt.
Fakticheski, tak kak dostup razreshen tol'ko s lokal'noj mashiny, to v pole cachemgr.cgi mozhno ukazat' v kachestve kesh hosta localhost. My rekomenduem sleduyushchee:
ššššššš acl manager proto cache_object ššššššš acl localhost src 127.0.0.1/255.255.255.255 ššššššš acl example src 123.123.123.123/255.255.255.255 ššššššš acl all src 0.0.0.0/0.0.0.0Gde 123.123.123.123 eto IP adres Vashego web servera. Zatem izmenite pravila tak:
ššššššš http_access deny manager !localhost !example ššššššš http_access allow allPo umolchaniyu podrazumevaetsya, chto web server nahoditsya na toj zhe mashine, chto i squid. Uchtite, chto obrashchenie kesh-menedzhera k squid proishodit cherez web server, a ne brauzer. Tak chto, esli Vash web server nahoditsya gde-to v drugom meste, IP adres web servera, na kotorom ustanovlen cachemgr.cgi dolzhen byt' ukazan vmesto example v vysheprivedennom primere.
Ne zabyvajte kazhdyj raz posle izmeneniya squid.conf posylat' SIGHUP squid'u.
ššššššš HOST_OPTššššššš = # -DCACHEMGR_HOSTNAME="getfullhostname()"Esli web server s cachemgr.cgi zapushchen na toj zhe mashine, chto i Squid prosto uberite #. Esli zhe web server kakoj-to drugoj, to:
ššššššš HOST_OPTššššššš = -DCACHEMGR_HOSTNAME=\"mycache.example.com\"Posle etih izmenenij sleduet perekompilirovat' i pereustanovit' cachemgr.cgi.
Esli squid zanimaet gorazdo men'she, chem v etom pole, bud'te ostorozhny! CHto-to ne tak, sleduet perezapustit' squid.
Dlya kolonki Flags:
Kolonka N eto chislo IP adresov, kotorye imeet dannyj hostname.
V konce stroki perechisleny ostal'nye IP adresa, otnosyashchiesya k etoj zapisi v IP cache.
ššššššš Memory usage for squid via mallinfo(): šššššššššššššš Total space in arena:šš 94687 KB šššššššššššššš Ordinary blocks:ššššššš 32019 KB 210034 blks šššššššššššššš Small blocks:šššššššššš 44364 KB 569500 blks šššššššššššššš Holding blocks:šššššššššššš 0 KBšš 5695 blks šššššššššššššš Free Small blocks:šššššš 6650 KB šššššššššššššš Free Ordinary blocks:šš 11652 KB šššššššššššššš Total in use:šššššššššš 76384 KB 81% šššššššššššššš Total free:šššššššššššš 18302 KB 19% ššššššš Meta Data: ššššššš StoreEntryššššššššššššššš 246043 x 64 bytes =š 15377 KB ššššššš IPCacheEntryššššššššššššš 971 xšš 88 bytesš =šššš 83 KB ššššššš Hash linkšššššššššššššššš 2 xšš 24 bytesššš =ššššš 0 KB ššššššš URL stringsšššššššššššššššššššššššššššššššš =š 11422 KB ššššššš Pool MemObject structures 514 xš 144 bytesš =šššš 72 KB (ššš 70 free) ššššššš Pool for Request structur 516 x 4380 bytesš =šš 2207 KB (š 2121 free) ššššššš Pool for in-memory object 6200 x 4096 bytes =š 24800 KB ( 22888 free) ššššššš Pool for disk I/Ošššššššš 242 x 8192 bytes =šš 1936 KB (š 1888 free) ššššššš Miscellaneousššššššššššššššššššššššššššššš =šš 2600 KB ššššššš total Accountedššššššššššššššššššššššššššš =š 58499 KBV pervoj stroke mallinfo() soobshchaet, chto ispol'zuetsyar 94M. |to znachenie blizko k tomu, chto pokazyvaet top (97M).
Iz etih 94M, 81% (76M) real'no ispol'zuetsya v etot moment. Ostal'noe vysvobozhdeno, ili zarezervirovano malloc(3) i poka ne ispol'zuetsya.
Iz 76M ispol'zuemyh, mozhno rasschityvat' na 58.5M (76%). Ostal'noe otvedeno pod vyzovy malloc(3).
Spisok Meta Data soderzhit informaciyu o tom, kuda potrachena dostupnaya pamyat'. 45% ushlo na StoreEntry i hranenie URL strok. Drugie 42% potracheny na hranenie ob®ektov v virtual'noj pamyati, poka oni dostavlyayutsya klientam (Pool for in-memory object).
Razmery pula zadayutsya v squid.conf. V versii 1.0, oni neskol'ko tupovatye: tam hranitsya stek neispol'zovannyh stranic, vmesto togo chtoby osvobozhdat' etot blok. V Pool for in-memory object, razmer etogo steka sostavlyaet 1/2 cache_mem. Razmer Pool for disk I/O zhestko zadan v 200. Dlya MemObject i Request eto 1/8 velichiny FD_SETSIZE.
Esli Vam nuzhno snizit' kolichestvo pamyati processa, my rekomenduem umen'shit' maksimal'nye razmery ob®ektov v strokah 'http', 'ftp' i 'gopher' konfiguracii. Takzhe mozhno umen'shit' cache_mem. No esli sdelat' cache_mem slishkom malen'kim, to nekotorye ob®ekty mogut ne sohranyat'sya na disk pri bol'shoj zagruzke. Novye versii Squid pozvolyayut zadat' memory_pools off otklyuchaya takim obrazom pul svobodnoj pamyati.
Naprimer:
============================================================================== IP Cache Contents: šHostnameššššššššššššššššššššš Flags lstrefššš TTLš N [IP-Number] šgorn.cc.fh-lippe.dešššššššššššššš Cšššššš 0š 21581 1 193.16.112.73 šlagrange.uni-paderborn.dešššššššš Cšššššš 6š 21594 1 131.234.128.245 šwww.altavista.digital.comšššššššš Cššššš 10š 21299 4 204.123.2.75š 204.74.103.37ššš 204.123.2.66ššš 204.123.2.69 š2/ftp.symantec.comššššššššššššššš DLšš 1583 -772855 0šš Flags:š C --> V keshe ššššššš D --> Otpravlen ššššššš N --> Ne keshirovan ššššššš L --> Blokirovan lstref: Vremya s momenta poslednego ispol'zovaniya šš TTL: Time-To-Live (vremya zhizni) poka ne istechet srok hraneniya informacii šššš N: CHislo adresov ============================================================================== FQDN Cache Contents: šIP-Numberššššššššššššššššššš Flags TTL(?) N Hostname]š š130.149.17.15ššššššššššššššššššš C -45570 1 andele.cs.tu-berlin.de š194.77.122.18ššššššššššššššššššš C -58133 1 komet.teuto.de š206.155.117.51šššššššššššššššššš N -73747 0 šFlags: C --> V keshe ššššššš D --> Otpravlen ššššššš N --> Ne keshirovan ššššššš L --> Blokirovan šš TTL: Time-To-Live šššš N: CHislo imen
http_accel_with_proxy on
Takzhe, vozmozhno Vy nepravil'no zadali ACL. Prover'te fajly access.log i squid.conf.
Direktiva local_domain ne zapreshchaet keshirovat' lokal'nye ob®ekty. Ona predotvrashchaet ispol'zovanie bratskih keshej dlya lokal'nyh ob®ektov. Esli Vam vse taki eto nuzhno, to vospol'zujtes' opciyami cache_stoplist ili http_stop (v zavisimosti ot versii).
Dlya Linux, est' patch filehandle.patch.linux ot Michael O'Reilly <michael@metal.iinet.net.au>.
Dlya Solaris, dobav'te sleduyushchee v fajl /etc/system:
set rlim_fd_max = 4096
set rlim_fd_cur = 1024
Takzhe sleduet zadat' #define SQUID_FD_SETSIZE v include/config.h v to zhe znachenie, chto i rlim_fd_max. Ne sleduet zadavat' men'she 4096.
Solaris select(2) pozvolyaet zadat' tol'ko 1024 deskriptora, esli nado bol'she otredaktirujte src/Makefile i razreshite $(USE_POLL_OPT). Potom peresoberite squid.
Dlya FreeBSD (ot Torsten Sturm <torsten.sturm@axis.de>):
ššš cd squid-1.1.x ššš make realclean ššš ./configure --prefix=/usr/local/squid ššš make
optionsšššššššš DFLDSIZ=67108864ššššššš # 64 meg default max data size (was 16) optionsšššššššš MAXDSIZ=134217728šššššš # 128 meg max data size (was 64)Peresoberite yadro i perezagruzite mashinu.š
V Digital UNIX, otredaktirujte fajl /etc/sysconfigtab i dobav'te stroku...
proc: ššššššš per-proc-data-size=1073741824Ili, v csh, ispol'zuya komandu limit ...
Redaktirovanie /etc/sysconfigtab trebuet perezagruzki, a komanda limit - net.
97/01/23 22:31:10| Removed 1 of 9 objects from bucket 3913 97/01/23 22:33:10| Removed 1 of 5 objects from bucket 4315 97/01/23 22:35:40| Removed 1 of 14 objects from bucket 6391Obychnye stroki log fajla, no oni ne znachat, chto squid dostig cache_swap_high.
Na stranice cache information vcachemgr.cgi najdite stroku tipa etoj:
šššššš Storage LRU Expiration Age:šššš 364.01 daysOb®ekty, kotorye ne ispol'zovalis' dannoe kolichestvo vremeni, udalyayutsya kak rezul'tat regulyarnyh rabot. Vy mozhete zadat' sobstvennoe znachenie LRU Expiration Age pri pomoshchi reference_age v konfiguracionnom fajle.
FATAL: Don't run Squid as root, set 'cache_effective_user'!Odnako, esli ustanovit' cache_effective_user ne v nobody, to vse OK. Pervoe reshenie, eto sozdat' pol'zovatelya dlya Squid i ustanovit' dlya nego cache_effective_user.
Takzhe mozhno pomenyat' UID nobody s 65535 na 65534.
Dal'she nado vybrat' server (dolzhen byt' tol'ko odin), potom vyberite "Properties" iz menyu, zakladku "directories", budet opciya "Directory listing style." Vyberite "Unix" type, a ne "MS-DOS" type.
--Oskar Pearson <oskar@is.co.za>(1) Esli na tom konce neskol'ko interfejsov i pakety idut s togo, kotoryj ne propisan v DNS. Voobshche-to, eto ih problema. Vy mozhete skazat' im ili propisat' IP adres interfejsa v DNS, ili ispol'zovat' opciyu Squid 'udp_outgoing_address'.
Naprimer:
# (squid.conf roditel'skogo kesha) # udp_outgoing_address proxy.parent.com # (Vash squid.conf) # cache_host proxy.parent.com parent 3128 3130(2) Takzhe eto soobshchenie budet poyavlyat'sya pri posylke ICP zaprosov na neskol'ko adresov. Dlya obespecheniya bezopasnosti, Squid trebuet zadaniya v konfiguracii spiska drugih keshej, slushayushchih gruppu adresov. Esli neizvestnyj kesh slushaet etot adres i shlet otvety, vash kesh budet pisat' v log eti soobshcheniya. CHtoby ispravit' nado, libo skazat' etomu keshu perestat' slushat' adresa, ili, esli on zakonnyj, dobav'te ego v fajl konfiguracii.š
ICP prezhde vsego ispol'zuetsya v ierarhii keshej dlya poiska opredelennyh ob®ektov v bratskih keshah. Esli squid ne nahodit nuzhnogo dokumenta, to posylaet ICP zapros bratskim kesham, kotorye v svoyu ochered' otvechayut ICP otvetami "HIT" ("popadanie") ili "MISS" ("promah"). Zatem kesh ispol'zuet otvety dlya vybora pri pomoshchi kakogo kesha razreshat' svoi otvety MISS.
ICP takzhe podderzhivaet slozhnye peredachi mnozhestva ob®ektov cherez odno TCP soedinenie. ICP sejchas rabotaet poverh UDP. Tekushchie versii Squid takzhe podderzhivayut mnozhestvennye zaprosy ICP.
U Squid ne dolzhen blokirovat'sya process vvoda/vyvoda, poetomu DNS obrashcheniya vypolneny kak vneshnij k osnovnomu process. Processy dnsserver ne keshiruyut zaprosy DNS, eto delaetsya samim squid`om.
Na dannyj moment net, dlya podderzhki etogo nuzhna budet programma ftpput.
Krome roditel'skih/dochernih otnoshenij, squid podderzhivaet ponyatie bratskih keshej, to est' nahodyashchihsya na odnom urovne ierarhii, prizvannyh raspredelit' nagruzku. Kazhdyj kesh v ierarhii nezavisimo ni ot kogo reshaet otkuda brat' ob®ekt, libo s servera v Internet, libo s roditel'skogo ili bratskogo kesha, ispol'zuya prostoj mehanizm razresheniya. Bratskie keshi ne budut zabirat' ob®ekt dlya drugogo kesha togo zhe urovnya, poluchiv ot nih "promah".
Direktiva single_parent_bypass predotvrashchaet rassylku ICP zaprosov, v sluchae kogda sootvetstvuyushchij bratskij kesh eto roditel'skij (to est', esli bol'she neotkuda brat' ob®ekt, zachem naprasno zaprashivat'?)
Tekushchij spisok budushchih vozmozhnostej, dostupen zdes' http://squid.nlanr.net/Squid/Devel/todo.html.
Razrabotchikam budushchih versij sleduet obratit'sya syuda http://squid.nlanr.net/Squid/Devel/.
Last-modified: Tue, 01 Dec 1998 21:18:05 GMT