19.1 What are the new features?
* HTTP/1.1 persistent connections.
* Lower VM usage; in-transit objects are not held fully in memory.
* Totally independent swap directories.
* Customizable error texts.
* FTP supported internally; no more ftpget.
* Asynchronous disk operations (optional, requires pthreads
library).
* Internal icons for FTP and gopher directories.
* snprintf() used everywhere instead of sprintf().
* SNMP.
* URN support
* Routing requests based on AS numbers.
* Cache Digests
* ...and many more!
19.2 How do I configure 'ssl_proxy' now?
By default, Squid connects directly to origin servers for SSL
requests. But if you must force SSL requests through a parent, first
tell Squid it can not go direct for SSL:
acl SSL method CONNECT
never_direct allow SSL
With this in place, Squid should pick one of your parents to use for
SSL requests. If you want it to pick a particular parent, you must use
the cache_host_acl configuration:
cache_peer parent1 parent 3128 3130
cache_peer parent2 parent 3128 3130
cache_host_acl parent2 !SSL
The above lines tell Squid to NOT use parent2 for SSL, so it should
always use parent1.
19.3 Logfile rotation doesn't work with Async I/O
It is a know limitation when using Async I/O on Linux. The Linux
Threads package steals (uses internally) the SIGUSR1 signal that squid
uses to rotate logs.
In order to not disturb the threads package SIGUSR1 use is disabled in
Squid when threads is enabled on Linux.
19.4 Adding a new cache disk
Simply add your new cache_dir line to squid.conf, then run squid -z
again. Squid will create swap directories on the new disk and leave
the existing ones in place.
19.5 Squid 2 performs badly on Linux
by Henrik Nordstrom
You may have enabled Asyncronous I/O with the --enable-async-io
configure option. Be careful when using threads on Linux. Most
versions of libc5 and early versions of glibc have problems with
threaded applications. I would not recommend --enable-async-io on
Linux unless your system uses a recent version of glibc.
You should also know that --enable-async-io is not optimal unless you
have a very busy cache. For low loads the cache performs slightly
better without --enable-async-io.
Try recompiling Squid without --enable-async-io. If a non-threaded
Squid performs better then your libc probably can't handle threads
correctly. (don't forget "make clean" after running configure)
19.6 How do I configure proxy authentication with Squid-2?
For Squid-2, the implementation and configuration has changed.
Authentication is now handled via external processes. Arjan's proxy
auth page describes how to set it up. Some simple instructions are
given below as well.
1. We assume you have configured an ACL entry with proxy_auth, for
example:
acl foo proxy_auth
http_access allow foo
2. You will need to compile and install an external authenticator
program. Most people will want to use ncsa_auth. The source for
this program is included in the source distribution, in the
auth_modules/NCSA directory.
% cd auth_modules/NCSA
% make
% make install
You should now have an ncsa_auth program in the same directory
where your squid binary lives.
3. You may need to create a password file. If you have been using
proxy authentication before, you probably already have such a
file. You can get apache's htpasswd program from our server. Pick
a pathname for your password file. We will assume you will want to
put it in the same directory as your squid.conf.
4. Configure the external authenticator in squid.conf. For ncsa_auth
you need to give the pathname to the executable and the password
file as an argument. For example:
authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/et
c/passwd
After all that, you should be able to start up Squid. If we left
something out, or haven't been clear enough, please let us know
(squid-faq@ircache.net).
19.7 Delay Pools
by David Luyer
The idea came from a Western Australia university who wanted to
restrict student traffic costs (without affecting staff traffic, and
still getting cache and local peering hits at full speed). There was
some early-squid-1.0 code by the central network services at Murdoch
University, which I then developed (at the University of Western
Australia) into a much more complex patch for squid-1.0 called
``DELAY_HACK.'' I then tried to code it in a much cleaner style and
with slightly more generic options than I personally needed, and
called this ``delay pools.''
To enable delay pools features in Squid-2, you must use the
--enable-delay-pools configure option.
It allows you to limit traffic per client, with various features;
* can specify peer hosts which aren't affected by delay pools, ie,
local peering
* delay behavior is selected by ACLs (low and high priority traffic,
staff vs students or student vs authenticated student or so on, or
simply modem users get a 56kbps maximum pulled down for them at
any time)
* each class of users has a number of "pools", a pool has an amount
coming into it in a second and a maximum amount it can grow to.
when it reaches zero, objects reads are deferred until one of the
object's clients has some traffic allowance.
* class 1 - contains a single unified pool
* class 2 - contains one unified pool and 254 pools for each host on
an 8-bit network (IPv4 class c).
* class 3 - contains 254 pools for subnets in a 16-bit network, and
individual pools for most most on these networks (network 255 and
hosts 0 and 255 are not permitted) (IPv4 class b).
* each set of pools can be configured individually or disabled, eg,
you might only want to use the aggregate and per-host pool of
class 3, and not the per-network one.
How can I limit Squid's total bandwidth to, say, 512 Kbps?
acl all src 0.0.0.0/0.0.0.0 # might already be defined
delay_class1_access allow all
delay_class1_aggregate_max 64000 # 1 second "buffer" of 64kbytes
delay_class1_aggregate_restore 64000 # 512 kbits == 64 kbytes per se
cond
The 1 second buffer is because you have implied you just want a limit,
and don't want it to be able to respond to a burst. If you want it to
be able to respond to a burst, increase the aggregate_max to a larger
value, and traffic bursts will be handled.
How to limit a single connection to 128 Kbps?
You can not limit a single HTTP request. You can limit individual
hosts to some bandwidth rate. To limit a specific host, define an acl
for that host and use the example above. To limit a group of hosts,
then you must use the delay_class2 configuration options. For example:
acl only128kusers src 192.168.1.0/255.255.255.0
delay_class1_access deny only128kusers
delay_class2_access allow only128kusers
delay_class2_aggregate_max 64000
delay_class2_aggregate_restore 64000
delay_class2_individual_max 64000
delay_class2_individual_restore 16000
The above gives a solution where a cache is given a total of 512kbits
to operate in, and each IP address gets only 128kbits out of that
pool. The problem being that a single connection can take the entire
128k allocation and additional connections are given no bandwidth at
all -- those additional connections will have to wait until there is
spare bandwidth in the pool (could be some time if it is a large
object being downloaded).
19.8 Can I preserve my cache when upgrading from 1.1 to 2?
At the moment we do not have a script which will convert your cache
contents from the 1.1 to the Squid-2 format. If enough people ask for
one, then somebody will probably write such a script.
If you like, you can configure a new Squid-2 cache with your old
Squid-1.1 cache as a sibling. After a few days, weeks, or however long
you want to wait, shut down the old Squid cache. If you want to
force-load your new cache with the objects from the old cache, you can
try something like this:
1. Install Squid-2 and configure it to have the same amount of disk
space as your Squid-1 cache, even if there is not currently that
much space free.
2. Configure Squid-2 with Squid-1 as a parent cache. You might want
to enable never_direct on the Squid-2 cache so that all of
Squid-2's requests go through Squid-1.
3. Enable the PURGE method on Squid-1.
4. Set the refresh rules on Squid-1 to be very liberal so that it
does not generate IMS requests for cached objects.
5. Create a list of all the URLs in the Squid-1 cache. These can be
extracted from the access.log, store.log and swap logs.
6. For every URL in the list, request the URL from Squid-2, and then
immediately send a PURGE request to Squid-1.
7. Eventually Squid-2 will have all the objects, and Squid-1 will be
empty.
19.9 Customizable Error Messages
Squid-2 lets you customize your error messages. The source
distribution includes error messages in different languages. You can
select the language with the configure option:
--enable-err-language=lang
Furthermore, you can rewrite the error message template files if you
like. This list describes the tags which Squid will insert into the
messages:
%B
URL with FTP %2f hack
%c
Squid error code
%d
seconds elapsed since request received
%e
errno
%E
strerror()
%f
FTP request line
%F
FTP reply line
%g
FTP server message
%h
cache hostname
%H
server host name
%i
client IP address
%I
server IP address
%L
contents of err_html_text config option
%M
Request Method
%p
URL port \#
%P
Protocol
%R
Full HTTP Request
%S
squid signature from ERR_SIGNATURE
%s
caching proxy software with version
%t
local time
%T
UTC
%U
URL without password
%u
URL without password, %2f added to path
%w
cachemgr email address
%z
dns server error message
19.10 My squid.conf from version 1.1 doesn't work!
Yes, a number of configuration directives have been renamed. Here are
some of them:
cache_host
This is now called cache_peer. The old term does not really
describe what you are configuring, but the new name tells you
that you are configuring a peer for your cache.
cache_host_domain
Renamed to cache_peer_domain.
local_ip, local_domain
The functaionality provided by these directives is now
implemented as access control lists. You will use the
always_direct and never_direct options. The new squid.conf file
has some examples.
cache_stoplist
This directive also has been reimplemented with access control
lists. You will use the no_cache option. For example:
acl Uncachable url_regex cgi ?
no_cache deny Uncachable
cache_swap
This option used to specify the cache disk size. Now you
specify the disk size on each cache_dir line.
cache_host_acl
This option has been renamed to cache_peer_access and the
syntax has changed. Now this option is a true access control
list, and you must include an allow or deny keyword. For
example:
acl that-AS dst_as 1241
cache_peer_access thatcache.thatdomain.net allow that-AS
cache_peer_access thatcache.thatdomain.net deny all
This example sends requests to your peer
thatcache.thatdomain.net only for origin servers in Autonomous
System Number 1241.
units
In Squid-1.1 many of the configuration options had implied
units associated with them. For example, the connect_timeout
value may have been in seconds, but the read_timeout value had
to be given in minutes. With Squid-2, these directives take
units after the numbers, and you will get a warning if you
leave off the units. For example, you should now write:
connect_timeout 120 seconds
read_timeout 15 minutes
_________________________________________________________________
Previous Next Table of Contents