Previous Next Table of Contents

19. Squid version 2

19.1 What are the new features?

19.2 How do I configure 'ssl_proxy' now?

By default, Squid connects directly to origin servers for SSL requests. But if you must force SSL requests through a parent, first tell Squid it can not go direct for SSL:

        acl SSL method CONNECT
        never_direct allow SSL
With this in place, Squid should pick one of your parents to use for SSL requests. If you want it to pick a particular parent, you must use the cache_host_acl configuration:
        cache_peer parent1 parent 3128 3130
        cache_peer parent2 parent 3128 3130
        cache_host_acl parent2 !SSL
The above lines tell Squid to NOT use parent2 for SSL, so it should always use parent1.

19.3 Logfile rotation doesn't work with Async I/O

It is a know limitation when using Async I/O on Linux. The Linux Threads package steals (uses internally) the SIGUSR1 signal that squid uses to rotate logs.

In order to not disturb the threads package SIGUSR1 use is disabled in Squid when threads is enabled on Linux.

19.4 Adding a new cache disk

Simply add your new cache_dir line to squid.conf, then run squid -z again. Squid will create swap directories on the new disk and leave the existing ones in place.

19.5 Squid 2 performs badly on Linux

by Henrik Nordstrom

You may have enabled Asyncronous I/O with the --enable-async-io configure option. Be careful when using threads on Linux. Most versions of libc5 and early versions of glibc have problems with threaded applications. I would not recommend --enable-async-io on Linux unless your system uses a recent version of glibc.

You should also know that --enable-async-io is not optimal unless you have a very busy cache. For low loads the cache performs slightly better without --enable-async-io.

Try recompiling Squid without --enable-async-io. If a non-threaded Squid performs better then your libc probably can't handle threads correctly. (don't forget "make clean" after running configure)

19.6 How do I configure proxy authentication with Squid-2?

For Squid-2, the implementation and configuration has changed. Authentication is now handled via external processes. Arjan's proxy auth page describes how to set it up. Some simple instructions are given below as well.

  1. We assume you have configured an ACL entry with proxy_auth, for example:
            acl foo proxy_auth REQUIRED
            http_access allow foo
    
  2. You will need to compile and install an external authenticator program. Most people will want to use ncsa_auth. The source for this program is included in the source distribution, in the auth_modules/NCSA directory.
            % cd auth_modules/NCSA
            % make
            % make install
    
    You should now have an ncsa_auth program in the same directory where your squid binary lives.
  3. You may need to create a password file. If you have been using proxy authentication before, you probably already have such a file. You can get apache's htpasswd program from our server. Pick a pathname for your password file. We will assume you will want to put it in the same directory as your squid.conf.
  4. Configure the external authenticator in squid.conf. For ncsa_auth you need to give the pathname to the executable and the password file as an argument. For example:
            authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
    

After all that, you should be able to start up Squid. If we left something out, or haven't been clear enough, please let us know (squid-faq@ircache.net).

19.7 Why does proxy-auth reject all users with Squid-2.2?

The ACL for proxy-authentication has changed from:

        acl foo proxy_auth timeout
to:
        acl foo proxy_auth username
Please update your ACL appropriately - a username of REQUIRED will permit all valid usernames. The timeout is now specified with the configuration option:
        authenticate_ttl timeout

19.8 Delay Pools

by David Luyer

The information below refers only to version 2.1. Please read the configuration file for details on squid 2.2, which has changed significantly.

The idea came from a Western Australia university who wanted to restrict student traffic costs (without affecting staff traffic, and still getting cache and local peering hits at full speed). There was some early-squid-1.0 code by the central network services at Murdoch University, which I then developed (at the University of Western Australia) into a much more complex patch for squid-1.0 called ``DELAY_HACK.'' I then tried to code it in a much cleaner style and with slightly more generic options than I personally needed, and called this ``delay pools.''

To enable delay pools features in Squid-2, you must use the --enable-delay-pools configure option.

It allows you to limit traffic per client, with various features;

How can I limit Squid's total bandwidth to, say, 512 Kbps?

        acl all src 0.0.0.0/0.0.0.0             # might already be defined
        delay_class1_access allow all
        delay_class1_aggregate_max 64000        # 1 second "buffer" of 64kbytes
        delay_class1_aggregate_restore 64000    # 512 kbits == 64 kbytes per second

The 1 second buffer is because you have implied you just want a limit, and don't want it to be able to respond to a burst. If you want it to be able to respond to a burst, increase the aggregate_max to a larger value, and traffic bursts will be handled.

How to limit a single connection to 128 Kbps?

You can not limit a single HTTP request. You can limit individual hosts to some bandwidth rate. To limit a specific host, define an acl for that host and use the example above. To limit a group of hosts, then you must use the delay_class2 configuration options. For example:

        acl only128kusers src 192.168.1.0/255.255.255.0
        delay_class1_access deny only128kusers
        delay_class2_access allow only128kusers
        delay_class2_aggregate_max 64000
        delay_class2_aggregate_restore 64000
        delay_class2_individual_max 64000
        delay_class2_individual_restore 16000
The above gives a solution where a cache is given a total of 512kbits to operate in, and each IP address gets only 128kbits out of that pool. The problem being that a single connection can take the entire 128k allocation and additional connections are given no bandwidth at all -- those additional connections will have to wait until there is spare bandwidth in the pool (could be some time if it is a large object being downloaded).

19.9 Can I preserve my cache when upgrading from 1.1 to 2?

At the moment we do not have a script which will convert your cache contents from the 1.1 to the Squid-2 format. If enough people ask for one, then somebody will probably write such a script.

If you like, you can configure a new Squid-2 cache with your old Squid-1.1 cache as a sibling. After a few days, weeks, or however long you want to wait, shut down the old Squid cache. If you want to force-load your new cache with the objects from the old cache, you can try something like this:

  1. Install Squid-2 and configure it to have the same amount of disk space as your Squid-1 cache, even if there is not currently that much space free.
  2. Configure Squid-2 with Squid-1 as a parent cache. You might want to enable never_direct on the Squid-2 cache so that all of Squid-2's requests go through Squid-1.
  3. Enable the PURGE method on Squid-1.
  4. Set the refresh rules on Squid-1 to be very liberal so that it does not generate IMS requests for cached objects.
  5. Create a list of all the URLs in the Squid-1 cache. These can be extracted from the access.log, store.log and swap logs.
  6. For every URL in the list, request the URL from Squid-2, and then immediately send a PURGE request to Squid-1.
  7. Eventually Squid-2 will have all the objects, and Squid-1 will be empty.

19.10 Customizable Error Messages

Squid-2 lets you customize your error messages. The source distribution includes error messages in different languages. You can select the language with the configure option:

        --enable-err-language=lang

Furthermore, you can rewrite the error message template files if you like. This list describes the tags which Squid will insert into the messages:

%B

URL with FTP %2f hack

%c

Squid error code

%d

seconds elapsed since request received

%e

errno

%E

strerror()

%f

FTP request line

%F

FTP reply line

%g

FTP server message

%h

cache hostname

%H

server host name

%i

client IP address

%I

server IP address

%L

contents of err_html_text config option

%M

Request Method

%p

URL port \#

%P

Protocol

%R

Full HTTP Request

%S

squid signature from ERR_SIGNATURE

%s

caching proxy software with version

%t

local time

%T

UTC

%U

URL without password

%u

URL without password, %2f added to path

%w

cachemgr email address

%z

dns server error message

19.11 My squid.conf from version 1.1 doesn't work!

Yes, a number of configuration directives have been renamed. Here are some of them:

cache_host

This is now called cache_peer. The old term does not really describe what you are configuring, but the new name tells you that you are configuring a peer for your cache.

cache_host_domain

Renamed to cache_peer_domain.

local_ip, local_domain

The functaionality provided by these directives is now implemented as access control lists. You will use the always_direct and never_direct options. The new squid.conf file has some examples.

cache_stoplist

This directive also has been reimplemented with access control lists. You will use the no_cache option. For example:

        acl Uncachable url_regex cgi ?
        no_cache deny Uncachable
        

cache_swap

This option used to specify the cache disk size. Now you specify the disk size on each cache_dir line.

cache_host_acl

This option has been renamed to cache_peer_access and the syntax has changed. Now this option is a true access control list, and you must include an allow or deny keyword. For example:

        acl that-AS dst_as 1241
        cache_peer_access thatcache.thatdomain.net allow that-AS
        cache_peer_access thatcache.thatdomain.net deny all
        
This example sends requests to your peer thatcache.thatdomain.net only for origin servers in Autonomous System Number 1241.

units

In Squid-1.1 many of the configuration options had implied units associated with them. For example, the connect_timeout value may have been in seconds, but the read_timeout value had to be given in minutes. With Squid-2, these directives take units after the numbers, and you will get a warning if you leave off the units. For example, you should now write:

        connect_timeout 120 seconds
        read_timeout 15 minutes
        


Previous Next Table of Contents