From 9ea12eb3390e72f544ef880f20073cacb22483f3 Mon Sep 17 00:00:00 2001 From: cvsdist Date: Thu, 9 Sep 2004 12:40:04 +0000 Subject: [PATCH] auto-import squid-2.4.STABLE6-6.7.3 from squid-2.4.STABLE6-6.7.3.src.rpm --- .cvsignore | 1 + FAQ.sgml | 233 +++++++++++++++++++++++++++++++++++++++++++---------- sources | 1 + squid.spec | 28 ++++++- 4 files changed, 220 insertions(+), 43 deletions(-) diff --git a/.cvsignore b/.cvsignore index c13f59d..2b0525a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ +msntauth-v2.0.3-squid.1.tar.gz squid-2.4.STABLE6-src.tar.gz diff --git a/FAQ.sgml b/FAQ.sgml index 86d1a5c..c17c098 100644 --- a/FAQ.sgml +++ b/FAQ.sgml @@ -15,8 +15,10 @@ Object Cache software.

You can download the FAQ as -, and -. +, +, + or as a +.

@@ -450,6 +452,8 @@ The following people have made contributions to this document: + +

Please send corrections, updates, and comments to: @@ -583,6 +587,11 @@ Squid binaries for +

+Gurkan Sengun has some + +available. + How do I apply a patch or a diff?

You need the You can use the - acl INSIDE dstdomain mydomain.com - never_direct deny INSIDE + acl INSIDE dstdomain .mydomain.com + always_direct allow INSIDE + never_direct allow all -Note that the outside domains will not match the You could also specify internal servers by IP address acl INSIDE_IP dst 1.2.3.4/24 - never_direct deny INSIDE + always_direct allow INSIDE + never_direct allow all Note, however that when you use IP addresses, Squid must perform a DNS lookup to convert URL hostnames to an @@ -2204,7 +2211,7 @@ easy for someone to see or grab your password. by

You may like to start by reading the - + that describes WPAD.

@@ -2352,15 +2359,6 @@ There are a few basic points common to all log files. The time stamps logged into the log files are usually UTC seconds unless stated otherwise. The initial time stamp usually contains a millisecond extension. -

-The frequent time lookups on busy caches may have a performance impact on -some systems. The compile time configuration option - @@ -2722,9 +2720,10 @@ The hierarchy information consists of three items: forwarding it to a peer, or going straight to the source. Refer to section for details on hierarchy codes and removed hierarchy codes. -The name of the host the object was requested from. This host may - be the origin site, a parent or any other peer. Also note that the - hostname may be numerical. +The IP address or hostname where the request (if a miss) was forwarded. + For requests sent to origin servers, this is the origin server's IP address. + For requests sent to a neighbor cache, this is the neighbor's hostname. + NOTE: older versions of Squid would put the origin server hostname here. @@ -3175,6 +3174,12 @@ only keep up to +If you set To rotate Squid's logs, simple use this command: @@ -3216,6 +3221,12 @@ You need to +I want to use another tool to maintain the log files. +

+If you set Managing log files

@@ -3791,6 +3802,7 @@ and port numbers together (see the squid.conf comments). Memory +

-

Note: This information is specific to Squid-1.1 versions @@ -4303,6 +4317,34 @@ script: % ./configure --enable-dlmalloc ... +How much memory do I need in my Squid server? +

+As a rule of thumb on Squid uses approximately 10 MB of RAM per GB of the +total of all cache_dirs (more on 64 bit servers such as Alpha), plus your +cache_mem setting and about an additional 10-20MB. It is recommended to +have at least twice this amount of physical RAM available on your Squid +server. For a more detailed discussion on Squid's memory usage see the +sections above. + +

+The recommended extra RAM besides what is used by Squid is used by the +operating system to improve disk I/O performance and by other applications or +services running on the server. This will be true even of a server which +runs Squid as the only tcp service, since there is a minimum level of +memory needed for process management, logging, and other OS level +routines. + +

+If you have a low memory server, and a large disk, then you will not +necessarily be able to use all the disk space, since as the cache fills +the memory available will be insufficient, forcing Squid to swap out +memory and affecting performance. A very large cache_dir total and +insufficient physical RAM + Swap could cause Squid to stop functioning +completely. The solution for larger caches is to get more physical RAM; +allocating more to Squid via cache_mem will not help. + The Cache Manager @@ -5097,12 +5139,12 @@ so a url containing ``Cooking'' would not be denied. Another way is to deny access to specific servers which are known to hold recipes. For example: - acl Cooking2 dstdomain gourmet-chef.com + acl Cooking2 dstdomain www.gourmet-chef.com http_access deny Cooking2 http_access allow all The + @@ -5400,6 +5443,11 @@ the neighbor ACL's first in the list of Squid doesn't match my subdomains + +

NOTE: Current Squid versions (as of Squid-2.4) will warn you +when this kind of configuration is used. Also the configuration here uses +the dstdomain syntax of Squid-2.1 or earlier.. (2.2 and later needs to +have domains prefixed by a dot)

There is a subtle problem with domain-name based access controls when a single ACL element has an entry that is a subdomain of @@ -6255,7 +6303,7 @@ Memory usage is a complicated problem. There are a number of things to consider.

-First, examine the Cache Manager Number of HTTP requests received: 121104 Page faults with physical i/o: 16720 @@ -6275,6 +6323,9 @@ If the ratio is too high, you will need to make some changes to . +

+See also . + WARNING: Failed to start 'dnsserver'

@@ -7180,7 +7231,7 @@ them completely and only use the proxy.pac for example. Requests for international domain names does not work

-By Henrik Nordström +By Henrik Nordström

Some people have asked why requests for domain names using national symbols as "supported" by the certain domain registrars does not work @@ -7202,9 +7253,104 @@ url="http://www.ietf.org/html.charters/idn-charter.html" name="IETF idn"> working group or it's . +Why do I sometimes get ``Zero Sized Reply''? + +

+This happens when Squid makes a TCP connection to an origin server, but +for some reason, the connection is closed before Squid reads any data. +Depending on various factors, Squid may be able to retry the request again. +If you see the ``Zero Sized Reply'' error message, it means that Squid +was unable to retry, or that all retry attempts also failed. + +

+What causes a connection to close prematurely? It could be a number +of things, including: + +An overloaded origin server. +TCP implementation/interoperability bugs. +Race conditions with HTTP persistent connections. +Buggy or misconfigured NAT boxes, firewalls, and load-balancers. +Denial of service attacks. + + +

+You may be able to use +Some users believe the problem is caused by very large cookies. +One user reports that his Zero Sized Reply problem went away +when he told Internet Explorer to not accept third-party +cookies. + +

+Here are some things you can try to reduce the occurance of the +Zero Sized Reply error: + +Delete or rename your cookie file and configure your + browser to prompt you before accepting any new cookies. +Disable HTTP persistent connections with the + Disable any advanced TCP features on the Squid system. Disable + ECN on Linux with echo 0 > /proc/sys/net/ipv4/tcp_ecn/. + + +

+If this error causes serious problems for you, +Squid developers would be happy to help you uncover the problem. However, +we will require high-quality debugging information from you, such as + +If you want to make Squid give the Zero Sized error +on demand, you can use the short C program below. Simply compile and +start the program on a system that doesn't already have a server +running on port 80. Then try to connect to this fake server through +Squid: + +#include +#include +#include +#include +#include +#include +#include +#include + +int +main(int a, char **b) +{ + struct sockaddr_in S; + int s,t,x; + s = socket(PF_INET, SOCK_STREAM, 0); + assert(s > 0); + memset(&S, '\0', sizeof(S)); + S.sin_family = AF_INET; + S.sin_port = htons(80); + x = bind(s, (struct sockaddr *) &S, sizeof(S)); + assert(x == 0); + x = listen(s, 10); + assert(x == 0); + while (1) { + struct sockaddr_in F; + int fl = sizeof(F); + t = accept(s, (struct sockaddr *) &F, &fl); + fprintf(stderr, "accpeted FD %d from %s:%d\n", + t, inet_ntoa(F.sin_addr), (int)ntohs(F.sin_port)); + close(t); + fprintf(stderr, "closed FD %d\n", t); + } + return 0; +} + + + How does Squid work? +

@@ -8826,8 +8972,8 @@ diff -p -u -r1.40 -r1.41 * SUCH DAMAGE. * * @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94 -- * $Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $ -+ * $Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $ +- * $Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $ ++ * $Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $ */ #include @@ -9095,7 +9241,7 @@ or broken TCP/IP implementations. To work around such broken sites you can disable ECN with the following command: -echo 0 >/proc/sys/net/ipv4/tcp_ecn +echo 0 > /proc/sys/net/ipv4/tcp_ecn

Found this on the FreeBSD mailing list: @@ -10045,10 +10191,10 @@ httpd_accel_uses_host_header on any IP address, on port 80 - and deliver them to your cache application. This is typically done with IP filtering/forwarding features built into the kernel. - On linux they call this Interception caching for Solaris, SunOS, and BSD systems +

+NOTE: You don't need to use IP Filter on FreeBSD. Use the built-in Install IP Filter +

First, get and install the What about WCCPv2?

-Cisco has published WCCPv2 as an (expires Jan 2001). +Cisco has published WCCPv2 as an (expired Jan 2001). At this point, Squid does not support WCCPv2, but anyone is welcome to code it up and contribute to the Squid project. @@ -12824,7 +12975,7 @@ want to make a cron job that regularly verifies that your proxy blocks access to port 25. -$Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $ +$Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $