By default, Squid connects directly to origin servers for SSL requests. But if you must force SSL requests through a parent, first tell Squid it can not go direct for SSL:
acl SSL method CONNECT never_direct allow SSLWith this in place, Squid should pick one of your parents to use for SSL requests. If you want it to pick a particular parent, you must use the cache_host_acl configuration:
cache_peer parent1 parent 3128 3130 cache_peer parent2 parent 3128 3130 cache_host_acl parent2 !SSLThe above lines tell Squid to NOT use parent2 for SSL, so it should always use parent1.
It is a know limitation when using Async I/O on Linux. The Linux Threads package steals (uses internally) the SIGUSR1 signal that squid uses to rotate logs.
In order to not disturb the threads package SIGUSR1 use is disabled in Squid when threads is enabled on Linux.
Simply add your new cache_dir line to squid.conf, then run squid -z again. Squid will create swap directories on the new disk and leave the existing ones in place.
by Henrik Nordstrom
You may have enabled Asyncronous I/O with the --enable-async-io configure option. Be careful when using threads on Linux. Most versions of libc5 and early versions of glibc have problems with threaded applications. I would not recommend --enable-async-io on Linux unless your system uses a recent version of glibc.
You should also know that --enable-async-io is not optimal unless you have a very busy cache. For low loads the cache performs slightly better without --enable-async-io.
Try recompiling Squid without --enable-async-io. If a non-threaded Squid performs better then your libc probably can't handle threads correctly. (don't forget "make clean" after running configure)
For Squid-2, the implementation and configuration has changed. Authentication is now handled via external processes. Arjan's proxy auth page describes how to set it up. Some simple instructions are given below as well.
acl foo proxy_auth REQUIRED http_access allow foo
% cd auth_modules/NCSA % make % make installYou should now have an ncsa_auth program in the same directory where your squid binary lives.
authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
After all that, you should be able to start up Squid. If we left something out, or haven't been clear enough, please let us know (email@example.com).
The ACL for proxy-authentication has changed from:
acl foo proxy_auth timeoutto:
acl foo proxy_auth usernamePlease update your ACL appropriately - a username of REQUIRED will permit all valid usernames. The timeout is now specified with the configuration option:
by David Luyer
The information below refers only to version 2.1. Please read the configuration file for details on squid 2.2, which has changed significantly.
The idea came from a Western Australia university who wanted to restrict student traffic costs (without affecting staff traffic, and still getting cache and local peering hits at full speed). There was some early-squid-1.0 code by the central network services at Murdoch University, which I then developed (at the University of Western Australia) into a much more complex patch for squid-1.0 called ``DELAY_HACK.'' I then tried to code it in a much cleaner style and with slightly more generic options than I personally needed, and called this ``delay pools.''
To enable delay pools features in Squid-2, you must use the --enable-delay-pools configure option.
It allows you to limit traffic per client, with various features;
acl all src 0.0.0.0/0.0.0.0 # might already be defined delay_class1_access allow all delay_class1_aggregate_max 64000 # 1 second "buffer" of 64kbytes delay_class1_aggregate_restore 64000 # 512 kbits == 64 kbytes per second
The 1 second buffer is because you have implied you just want a limit, and don't want it to be able to respond to a burst. If you want it to be able to respond to a burst, increase the aggregate_max to a larger value, and traffic bursts will be handled.
You can not limit a single HTTP request. You can limit individual hosts to some bandwidth rate. To limit a specific host, define an acl for that host and use the example above. To limit a group of hosts, then you must use the delay_class2 configuration options. For example:
acl only128kusers src 192.168.1.0/255.255.255.0 delay_class1_access deny only128kusers delay_class2_access allow only128kusers delay_class2_aggregate_max 64000 delay_class2_aggregate_restore 64000 delay_class2_individual_max 64000 delay_class2_individual_restore 16000The above gives a solution where a cache is given a total of 512kbits to operate in, and each IP address gets only 128kbits out of that pool. The problem being that a single connection can take the entire 128k allocation and additional connections are given no bandwidth at all -- those additional connections will have to wait until there is spare bandwidth in the pool (could be some time if it is a large object being downloaded).
At the moment we do not have a script which will convert your cache contents from the 1.1 to the Squid-2 format. If enough people ask for one, then somebody will probably write such a script.
If you like, you can configure a new Squid-2 cache with your old Squid-1.1 cache as a sibling. After a few days, weeks, or however long you want to wait, shut down the old Squid cache. If you want to force-load your new cache with the objects from the old cache, you can try something like this:
Squid-2 lets you customize your error messages. The source distribution includes error messages in different languages. You can select the language with the configure option:
Furthermore, you can rewrite the error message template files if you like. This list describes the tags which Squid will insert into the messages:
URL with FTP %2f hack
Squid error code
seconds elapsed since request received
FTP request line
FTP reply line
FTP server message
server host name
client IP address
server IP address
contents of err_html_text config option
URL port \#
Full HTTP Request
squid signature from ERR_SIGNATURE
caching proxy software with version
URL without password
URL without password, %2f added to path
cachemgr email address
dns server error message
Yes, a number of configuration directives have been renamed. Here are some of them:
This is now called cache_peer. The old term does not really describe what you are configuring, but the new name tells you that you are configuring a peer for your cache.
Renamed to cache_peer_domain.
The functaionality provided by these directives is now implemented as access control lists. You will use the always_direct and never_direct options. The new squid.conf file has some examples.
This directive also has been reimplemented with access control lists. You will use the no_cache option. For example:
acl Uncachable url_regex cgi ? no_cache deny Uncachable
This option used to specify the cache disk size. Now you specify the disk size on each cache_dir line.
This option has been renamed to cache_peer_access and the syntax has changed. Now this option is a true access control list, and you must include an allow or deny keyword. For example:
acl that-AS dst_as 1241 cache_peer_access thatcache.thatdomain.net allow that-AS cache_peer_access thatcache.thatdomain.net deny allThis example sends requests to your peer thatcache.thatdomain.net only for origin servers in Autonomous System Number 1241.
In Squid-1.1 many of the configuration options had implied units associated with them. For example, the connect_timeout value may have been in seconds, but the read_timeout value had to be given in minutes. With Squid-2, these directives take units after the numbers, and you will get a warning if you leave off the units. For example, you should now write:
connect_timeout 120 seconds read_timeout 15 minutes