Ocenite etot tekst:

---------------------------------------------------------------
Original etogo teksta raspolozhen na stranice
http://www.atals.net.ru/Squid-faq.html
---------------------------------------------------------------
Squid - eto keshiruyushchij proksi server, yavlyayushchijsya, na nash vzglyad, naibolee prodvinutym iz svobodno rasprostranyaemyh proksi serverov. |to perevod FAQ po etomu serveru. Nedavno poyavilas' novaya versiya etogo dokumenta. Tem ne menee etot perevod soderzhit otvety na bol'shinstvo vazhnyh voprosov po Squid.
Prisylajte vashi zamechaniya i predlozheniya na ilgam@atlas.net.ru

Perevod na russkij yazyk - Vasil'ev Il'gam, Atlas Netvorks, Copyright © 1997

CHasto zadavaemye voprosy

1 O Squid, etot FAQ, i drugaya informaciya po Squid

1.1 CHto takoe Squid?

Squid eto vysokoproizvoditel'nyj keshiruyushchij proksi dlya web klientov, podderzhivayushchij ftp, gopher, i http. V otlichii ot tradicionnyh keshiruyushchih programm, Squid vse zaprosy vypolnyaet kak odin, neblokiruemyj process vvoda/vyvoda. Squid sohranyaet chasto zaprashivaemye dannye v OZU, keshiruet DNS zaprosy, ne blokiruetsya pri vypolnenii DNS zaprosov, i ne keshiruet neudavshiesya zaprosy. Takzhe podderzhivaet SSL, rasshirennyj kontrol' dostupa i polnuyu registraciyu zaprosov. Ispol'zuya Internet Cache Protocol (ICP), keshi Squid mozhno raspolozhit' ierarhicheski dlya dopolnitel'nogo vyigrysha v propusknoj sposobnosti kanala.

Squid sostoit iz - osnovnoj programmy squid, programmy obrabotki DNS zaprosov dnsserver, programmy skachivaniya ftp dannyh ftpget, a takzhe nekotoryh instrumentov upravleniya. Kogda squid zapuskaetsya, on zapuskaet zadannoe chislo dnsserver-ov, kazhdyj iz kotoryh rabotaet samostoyatel'no, blokiruya tol'ko DNS zaprosy. Takim obrazom umen'shaetsya obshchee vremya ozhidaniya otveta DNS.

Squid beret svoe nachalo s osnovannogo ARPA proekta Harvest. http://harvest.cs.colorado.edu/

1.2 CHto takoe keshirovanie ob容ktov internet?

|to sposob hraneniya zaproshennyh iz Internet ob容ktov (naprimer, dannyh dostupnyh po http, ftp i gopher protokolam) na servere, nahodyashchemsya blizhe k zaprashivayushchemu komp'yuteru nezheli ishodnyj. Brauzery mogut potom ispol'zovat' Squid kesh kak http proksi-server, umen'shaya kak vremya dostupa, tak i zagruzku kanala.

1.3 Pochemu Squid?

Harris' Lament otvechaet, "All the good ones are taken." - "Vse luchshie nazvaniya uzhe rashvatali"

Nam nuzhno bylo kak-to otlichat'sya ot kesha Harvest. Squid bylo kodovoe nazvanie na nachal'noj stadii razrabotki, a potom ono priliplo.

1.4 Kakaya poslednyaya versiya Squid?

Squid obnovlyaetsya chasto; o poslednih izmeneniyah smotrite zdes' http://squid.nlanr.net/Squid/

1.5 Kto avtor Squid?

Squid eto rezul'tat usilij neskol'kih lyudej iz soobshchestva Internet. Vozglavlyaet proekt Duane Wessels iz National Laboratory for Applied Network Research (osnovannoj National Science Foundation).

1.6 Gde mozhno vzyat' Squid?

Vy mozhete vzyat' po ftp zdes':
ftp://squid.nlanr.net/pub/.
Takzhe mnogo zerkal po vsemu miru:
http://squid.nlanr.net/Squid/mirrors.html

1.7 Gde podpisat'sya na spisok rassylki Squid?

Arhivy razlichnyh spiskov rassylki dostupny na http://squid.nlanr.net/Mail-Archive/squid-users/

1.8 Web stranicy posvyashchennye Squid.

Zdes' informaciya po programme Squid http://squid.nlanr.net/Squid/, a zdes' http://www.nlanr.net/Cache/ dopolnitel'naya informaciya po keshirovaniyu voobshche.

1.9 Kakoj oficial'nyj status Squid?

Iz distributiva Squid, fajl README:
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

1.10 Rasprostraniteli Squid FAQ

Jonathan Larmour <JLarmour@origin-at.co.uk>
Cord Beermann <cord@cc.fh-lippe.de>
Tony Sterrett <tony@nlanr.net>
Gerard Hynes <ghynes@compusult.nf.ca>
<tkatayam@pi.titech.ac.jp>
Duane Wessels <wessels@nlanr.net>
K Claffy <kc@nlanr.net>
Paul Southworth <pauls@etext.org>

Pozhalujsta shlite ispravleniya, obnovleniya i kommentarii na: squid-faq@nlanr.net.


2 Installyaciya

2.1 Kakie fajly sleduet brat'?

Neobhodimo skachat' arhiv ishodnikov sleduyushchego vida squid-x.y.z-src.tar.gz (naprimer, squid-1.1.6-src.tar.gz) s http://squid.nlanr.net/Squid/. Soderzhanie razlichij mezhdu versiyami dostupno dlya apgrejda, kotorye primenyayutsya programmoj patch, kotoruyu mozhno vzyat' zdes' ftp://prep.ai.mit.edu/pub/gnu/.

2.2 Kak mne ustanovit' Squid?

Prezhde vsego neobhodimo raspakovat' ishodnyj arhiv, sleduyushchim obrazom:

% gzip -dc squid-x.y.z-src.tar.gz | tar xvf -

Zatem nuzhno otkonfigurirovat', otkompilirovat' i ustanovit'

% cd squid-x.y.z
% ./configure
% make all
% make install

Luchshe vsego ispol'zovat' GNU C (gcc) kompilyator. Poslednie versii imeyut format ANSI C, tak chto starye kompilyatory mogut ne rabotat'. GNU C kompilyator dostupen na ftp://prep.ai.mit.edu/pub/gnu/. Mozhno zadat' neskol'ko parametrov konfiguracionnogo skripta. Naibolee poleznyj --prefix dlya ustanovki v druguyu direktoriyu. Po umolchaniyu eto /usr/local/squid.CHtoby pomenyat' sleduet sdelat' sleduyushchee:

% cd squid-x.y.z
% ./configure --prefix=/some/other/directory/squid

2.3 Na kakih operacionnyh sistemah rabotaet Squid?

|to PO razrabatyvalos' dlya raboty na lyubyh sovremennyh Unix sistemah, i izvestno chto rabotaet na AIX, FreeBSD, HP-UX, IRIX, Linux, OSF/1, Solaris, i SunOS. Esli Vy obnaruzhili specifichnye dlya dannoj platformy problemy, pozhalujsta dajte nam znat' po email: squid-bugs@nlanr.net.

2.4 Dlya chego nuzhen fajl squid.conf?

Fajl squid.conf zadaet konfiguraciyu squid. Konfiguraciya vklyuchaet v sebya (no ne ogranichivaetsya etim) nomer porta HTTP , nomer porta dlya ICP zaprosov, prihodyashchie i ishodyashchie zaprosy, informaciyu o dostupe k brandmaueru, i znacheniya razlichnyh tajmautov.

2.5 A est' li primer squid.conf?

Da, posle togo kak Vy uspeshno prodelali make install, primer fajla squid.conf budet nahodit'sya v poddirektorii "etc" instalyacionnoj direktorii Squid. Primer squid.conf soderzhit kommentarii ob座asnyayushchie kazhduyu opciyu.

2.6 Kak mne zapustit' squid?

Posle redaktirovaniya konfiguracionnogo fajla, mozhno zapustit' squid iz skripta RunCache. Esli Vy ustanavlivali v direktoriyu po umolchaniyu to komanda dlya zapuska budet sleduyushchej:

/usr/local/squid/bin/RunCache &

2.7 Kak mne uznat' chto Squid zapushchen?

Dlya etogo est' programma client:

% client http://www.netscape.com/ > test

Sushchestvuyut i drugie HTTP programmy-klienty rabotayushchie v komandnoj stroke. |ti dve Vy mozhete najti poleznymi:url_get, po adresu ftp://ftp.pasteur.fr/pub/Network/url_get/, iechoping, po adresu ftp://ftp.pasteur.fr/pub/Network/echoping/. Takzhe prover'te naibolee vazhnye fajly access.log icache.log.

2.8 Kak ispol'zovat' patchi?

Neobhodima programma patch. Obychno dostatochno:
 cd squid-1.1.x
 patch < /tmp/fixes.patch

No vremya ot vremeni mogut popadat'sya patchi sozdannye iz direktorii 'src', togda nuzhno:
 cd squid-1.1.x/src
 patch < /tmp/fixes.patch

Esli programma patch budet chem-to nedovol'na i budet otkazyvat'sya rabotat' nado budet vzyat' bolee novuyu versiyu, naprimer zdes' GNU FTP site.






3 Konfigurirovanie

3.1 Kak sdelat' ierarhiyu proksi?

CHtoby razmestit' kesh v ierarhii, nuzhno vospol'zovat'sya cache_host direktivoj v squid.conf, chtoby ukazat' roditel'skij i bratskij (ili sestrinskij :) - t.e. odnogo urovnya) uzel.

Naprimer, privedennyj nizhesquid.conf na childcache.example.com skonfigurirovan tak, chto ego kesh poluchaet dannye s odnogo roditel'skogo i s dvuh bratskih keshej:

 # squid.conf - On the host: childcache.example.com
 #
 # Format is: hostname type http_port udp_port
 #
 cache_host parentcache.example.com parent 3128 3130
 cache_host childcache2.example.com sibling 3128 3130
 cache_host childcache3.example.com sibling 3128 3130
Direktiva cache_host_domain pozvolyaet ukazyvat' dlya kazhdogo domena kak bratskij, tak i roditel'skij kesh:
 # squid.conf - On the host: sv.cache.nlanr.net
 #
 # Format is: hostname type http_port udp_port
 #

 cache_host electraglide.geog.unsw.edu.au parent 3128 3130
 cache_host cache1.nzgate.net.nz parent 3128 3130
 cache_host pb.cache.nlanr.net parent 3128 3130
 cache_host it.cache.nlanr.net parent 3128 3130
 cache_host sd.cache.nlanr.net parent 3128 3130
 cache_host uc.cache.nlanr.net sibling 3128 3130
 cache_host bo.cache.nlanr.net sibling 3128 3130
 cache_host_domain electraglide.geog.unsw.edu.au .au
 cache_host_domain cache1.nzgate.net.nz .au .aq .fj .nz
 cache_host_domain pb.cache.nlanr.net .uk .de .fr .no .se .it
 cache_host_domain it.cache.nlanr.net .uk .de .fr .no .se .it
 cache_host_domain sd.cache.nlanr.net .mx .za .mu .zm
Vysheprivedennaya konfiguraciya opisyvaet, chto kesh budet ispol'zovat' pb.cache.nlanr.net i it.cache.nlanr.net dlya domenov uk, de, fr, no, se i it, sd.cache.nlanr.net dlya domenov mx, za, mu i zm, i cache1.nzgate.net.nz dlya domenov au, aq, fj, i nz.

3.2 Kak mne podklyuchit'sya k ierarhii NLANR?

Sushchestvuet prostoj nabor pravil podklyucheniya k ierarhii keshej NLANR.

3.3 Pochemu ya dolzhen podklyuchat'sya k ierarhii NLANR?

Ierarhiya NLANR mozhet yavlyat'sya nachal'nym istochnikom roditel'skih i bratskih keshej. Podklyuchenie k sisteme global'nyh keshej NLANR chashche vsego soprovozhdaetsya povysheniem proizvoditel'nosti.

3.4 Kak mne zaregistrirovat' svoj kesh na NLANR?

Prosto vklyuchite eti opcii v svoem squid.conf i vse:
cache_announce 24
announce_to sd.cache.nlanr.net:3131

Primechanie: anonsirovanie kesha eto ne tozhe samoe chto vstuplenie v ierarhiyu NLANR. Vy mozhete vstupit' v ierarhiyu NLANR bez registracii, i mozhno zaregistrirovat'sya bez vstupleniya v ierarhiyu keshej NLANR.

3.5 Kak mne najti blizhajshie ko mne keshi i organizovat' roditel'skie/dochernie/bratskie otnosheniya s nimi?

Posetite NLANR registraconnuyu BD keshej i poishchite blizhajshij. Da, i pomnite, chto esli kesh zaregistrirovan v baze eto eshche ne znachit chto on zahochet byt' Vashim roditelem/docher'yu/bratom. No sprosit' vsegda mozhno...

3.6 CHto takoe rezhim httpd-uskoritelya?

CHasto lyudi ispytyvayut trudnosti v ponimanii uskoritelej i keshiruyushchih proksi, obychno privodyashchih k putanice v ponimanii "prihodyashchih" i "ishodyashchih" dannyh. Rassmotrim eto v terminah zaprosov (naprimer, ishodyashchij zapros - eto s lokal'noj mashiny v bol'shoj plohoj Internet) Dannye prinimaemye v otvet - eto prihodyashchij. Obratnyj smysl poluchaetsya esli ego rassmatrivat' kak "zapros dlya prihodyashchih dannyh".

Uskoritel' keshiruet prihodyashchie zaprosy dlya ishodyashchih dannyh (naprimer, teh chto Vy opublikovali na svoem servere). Tem samym on zabiraet zagruzku s Vashego HTTP servera i vnutrennej seti. Vy ubiraete server s 80 porta (ili kakoj on u Vas tam), i podstavlyaete uskoritel', kotoryj probrasyvaet HTTP dannye s "real'nogo" HTTP servera (tol'ko uskoritel' dolzhen znat' gde real'nyj server). Vneshnij mir ne vidit ni kakoj raznicy (krome razve uvelicheniya skorosti dostupa).

Krome razgruzki real'nogo web servera, uskoritel' mozhet nahodit'sya snaruzhi brandmauera ili lyubogo drugogo uzkogo mesta v seti i obshchat'sya s HTTP serverami vnutri, umen'shaya traffik cherez uzkoe mesto i uproshchaya konfiguraciyu. Dva ili bolee uskoritelya soedinennye cherez ICP mogut uvelichit' skorost' i ustojchivost' web servera k lyubomu odinochnomu sboyu.

Redirektor Squid mozhet zastavit' uskoritel' rabotat' kak odnu svyaznuyu mashinu dlya neskol'kih serverov. Esli Vam nuzhno perenesti chasti Vashej fajlovoj sistemy s odnogo servera na drugoj, ili esli otdel'no administriruemye HTTP servera dolzhny logicheski poyavlyat'sya pod edinoj URL ierarhiej, uskoritel' sdelaet eto.

Esli Vy hotite lish' keshirovat' "ostal'noj mir" dlya uvelicheniya effektivnosti dostupa lokal'nyh pol'zovatelej v Internet, to rezhim uskoritelya sleduet otklyuchit'. Kompanii, kotorye derzhat svoj web-server ispol'zuyut uskoritel' dlya povysheniya effektivnosti dostupa k nemu. Te zhe, komu vazhen effektivnyj dostup lokal'nyh pol'zovatelej v Internet ispol'zuyut keshiruyushchij proksi. Mnogie, i my v tom chisle pol'zuyutsya i tem i etim.

Sravnenie kesha Squid i ego analoga Harvest pokazyvaet uvelichenie na poryadok proizvoditel'nosti pervogo po sravneniyu s CERN i drugimi shiroko rasprostrannenymi keshiruyushchimi programmami. |to preimushchestvo pozvolyaet keshu rabotat' kak httpd uskoritelyu, keshu skonfigurirovannomu kak glavnyj web-server (na 80 portu), perenapravlyaya nepravil'nye ssylki na real'nyj httpd (na 81 port).

V takoj konfiguracii administrator web uzla perenosit vse ne podlezhashchie keshirovaniyu URL na 81 port httpd. Kesh obsluzhivaet ssylki na keshiruemye ob容kty, takie kak HTML stranicy i GIF-y, a real'nyj httpd (na 81 portu) - vse nekeshiruemye, naprimer zaprosy i cgi-bin programmy. Esli pol'zovanie serverom napryamuyu zavisit ot keshiruemyh ob容ktov, to takaya konfiguraciya mozhet sushchestvenno snizit' zagruzku web-servera.

Pri etom pomnite, chto luchshe vsego ne zapuskat' squid kak httpd-uskoritel' i kak keshiruyushchij proksi odnovremenno, tak kak oni imeyut razlichnye rabochie rezhimy. Bolee vysokuyu proizvoditel'nost' Vy poluchite zapuskaya ih na raznyh mashinah. Vse zhe Squid mozhet odnovremenno rabotat' i kak httpd-uskoritel' i kak keshiruyushchij proksi, esli naprotiv httpd_accel_with_proxy Vy postavite on v svoem squid.conf.

3.7 Kak mne zadat', chtoby Squid rabotal za brandmauerom?

Kogda Vy nahodites' za brandmauerom Vy ne mozhete napryamuyu soedinyat'sya s vneshnim mirom, tak chto neobhodimo ispol'zovat' roditel'skij kesh. Squid ne ispol'zuet ICP zaprosy esli on za brandmauerom, ili esli tol'ko odin roditel'.

Nuzhno vospol'zovat'sya direktivoj inside_firewall v squid.conf chtoby zadat' spisok vnutrennih po otnosheniyu k brandmaueru domenov. Naprimer:

inside_firewall example.com

Mozhno zadat' neskol'ko:

inside_firewall example.com example.org example.net

Ispol'zovanie inside_firewall privodit k dvum putyam vybora servera. Ob容kty ne podpadayushchie ni pod odin iz perechislennyh domenov budut rassmatrivat'sya vne brandmauera. Dlya etogo zhe sluchaya:

V osobom sluchae mozhno ukazat' v kachestve domena none chtoby vse zaprosy obsluzhivalis' bratskimi ili roditel'skimi keshami.

3.8 U menya neskol'ko dnsserver processov, kotorye ne ispol'zuyutsya, mogu ya umen'shit' ih chislo v squid.conf?

Processy dnsserver ispol'zuyutsya squid iz-za togo, chto process preobrazovaniya imen hostov v IP-adresa (gethostbyname(3)) blokiruetsya (to est' etot process dolzhen dozhdat'sya otveta). Tak kak process squid odin, to kazhdyj, kto k obrashchaetsya k keshu dolzhen zhdat' kazhdyj raz vremya neobhodimoe na preobrazovanie. Vot pochemu dnsserver eto otdel'nyj process, tak chto on mozhet blokirovat'sya bez blokirovki samogo squid.

Poetomu ochen' vazhno chtoby bylo dostatochno dnsserver processov chtoby obrabotat' kazhdoe obrashchenie, v protivnom sluchaesquid mozhet neozhidanno povisat'. Na praktike nado opredelit' maksimal'noe chislo dnsserver-ov, kotorye mogut ponadobit'sya squid, i dobavit' eshche dva na vsyakij sluchaj. Drugimi slovami, esli Vy videli v rabote tol'ko tri dnsserver processa, ostav'te kak minimum pyat'. I pomnite, chtodnsserver malen'kij i pri prostoe osobo ne zagruzhaet sistemu.

3.9 My by hoteli ispol'zovat' Squid, no nam nuzhno ispol'zovat' socks dlya podklyucheniya k vneshnemu miru. Podderzhivaet li Squid Socks?

From: carson@lehman.com
Date: Sat, 25 Jan 1997 11:50:59 -0500
Subject: Re: SOCKS

CHtoby pol'zovat'sya socks5, ne trebuetsya nikak izmenenij koda Squid. Vse chto nado, eto dobavit' stroku -Dbind=SOCKSbind etc v stroku kompilyacii i -lsocks v stroku linkov.

3.10 Kak Squid reshaet kogda obnovit' ob容kt kesha?

Kolics Bertold sdelal prekrasnuyu blok-shemu izobrazhayushchuyu etot process.

4 Squid i brauzery

Bol'shinstv dostupnyh web brauzerov podderzhivayut proksi i legko konfiguriruyutsya dlya podderzhki Squid v kachestve proksi. Nekotorye iz nih podderzhivayut rasshirennye vozmozhnosti takie kak spisok domenov ili URL shablony kotorye ne sleduet keshirovat', ili JavaScript dlya avtomaticheskoj nastrojki.

4.1 Ruchnaya nastrojka Netscape

Vyberite Network Preferences iz menyu Options. Na zakladke Proxies, shchelknite na Manual Proxy Configuration a zatem na knopke View. Dlya kazhdogo protokola kotoryj podderzhivaet Vash Squid (po umolchaniyu, HTTP, FTP, i gopher) vvedite imya ili IP adres Squid i nomer porta (po umolchaniyu 3128) v kolonke Port. Dlya teh protokolov, kotorye Vash Squid ne podderzhivaet ostav'te polya pustymi.

Zdes' vid ekrana ruchnoj nastrojki proksi Netscape Navigator.

4.2 Avtomaticheskaya nastrojka Netscape

Nastrojka proksi Netscape Navigator mozhet byt' atomatizirovana pri pomoshchi JavaScript (dlya versij Navigator 2.0 ili vyshe). Vyberite Network Preferences iz menyu Options. Na zakladke Proxies, shchelknite na Automatic Proxy Configuration i vpishite URL Vashego fajla JavaScript konfiguracii proksi.

Zdes' vid ekrana avtomaticheskoj nastrojki proksi Netscape Navigator. Vy takzhe mozhete obratit'sya k dokumentacii Netscape po sisteme konfiguracii proksi Navigator pri pomoshchi JavaScript po adresu http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Zdes' primer avtokonfiguracii na JavaScript ot Oskar Pearson:

//We (www.is.co.za) run a central cache for our customers that they
//access through a firewall - thus if they want to connect to their intranet
//system (or anything in their domain at all) they have to connect
//directly - hence all the "fiddling" to see if they are trying to connect
//to their local domain.

//Replace each occurrence of company.com with your domain name
//and if you have some kind of intranet system, make sure
//that you put it's name in place of "internal" below.

//We also assume that your cache is called "cache.company.com", and
//that it runs on port 8080. Change it down at the bottom.

//(C) Oskar Pearson and the Internet Solution (http://www.is.co.za)
 function FindProxyForURL(url, host)
 {
 //If they have only specified a hostname, go directly.
 if (isPlainHostName(host))
 return "DIRECT";
 //These connect directly if the machine they are trying to
 //connect to starts with "intranet" - ie http://intranet
 //Connect directly if it is intranet.*
 //If you have another machine that you want them to
 //access directly, replace "internal*" with that
 //machine's name
 if (shExpMatch( host, "intranet*")||
 shExpMatch(host, "internal*"))
 return "DIRECT";
 //Connect directly to our domains (NB for Important News)
 if (dnsDomainIs( host,"company.com")||
 //If you have another domain that you wish to connect to
 //directly, put it in here
 dnsDomainIs(host,"sistercompany.com"))
 return "DIRECT";
 //So the error message "no such host" will appear through the
 //normal Netscape box - less support queries :)
 if (!isResolvable(host))
 return "DIRECT";
 //We only cache http, ftp and gopher
 if (url.substring(0, 5) == "http:" ||
 url.substring(0, 4) == "ftp:"||
 url.substring(0, 7) == "gopher:")
 //Change the ":8080" to the port that your cache
 //runs on, and "cache.company.com" to the machine that
 //you run the cache on
 return "PROXY cache.company.com:8080; DIRECT";
 //We don't cache WAIS
 if (url.substring(0, 5) == "wais:")
 return "DIRECT";
 else
 return "DIRECT";
 }

4.3 Nastrojka Lynx i Mosaic

Dlya Mosaic i Lynx, nado zadat' peremennye okruzheniya pered zapuskom. Naprimer (dlya csh ili tcsh):

% setenv http_proxy http://mycache.example.com:3128/
% setenv gopher_proxy http://mycache.example.com:3128/
% setenv ftp_proxy http://mycache.example.com:3128/

Dlya Lynx nastrojki proksi mozhno sdelat' v fajle lynx.cfg. Pri takoj nastrojke vse pol'zovateli Lynx smogut pol'zovat'sya proksi bez dopolnitel'nogo zadaniya okruzheniya dlya kazhdogo pol'zovatelya. Naprimer:

 http_proxy:http://mycache.example.com:3128/
 ftp_proxy:http://mycache.example.com:3128/
 gopher_proxy:http://mycache.example.com:3128/

4.4 Nastrojka Microsoft Internet Explorer

Vyberite Options iz menyu View. SHCHelknite na zakladke Connection. Vyberite Connect through Proxy Server i nazhmite knopku Proxy Settings. Dlya kazhdogo protokola kotoryj podderzhivaet Vash Squid (po umolchaniyu, HTTP, FTP, i gopher) vvedite imya ili IP adres Squid i nomer porta (po umolchaniyu 3128) v kolonke Port. Te protokoly, kotorye Vash Squid ne podderzhivaet ostav'te zti polya pustymi.

Zdes' vid ekrana nastrojki proksi Internet Explorer.

Microsoft takzhe sobiraetsya podderzhivat' kak u Netscape avtomaticheskuyu nastrojku proksi cherez JavaScript. Sejchas, tol'ko MSIE versii 3.0a dlya Windows 3.1 i Windows NT 3.51 podderzhivaet etu vozmozhnost' (naprimer, v versii 3.01 build 1225 dlya Windows 95 i NT 4.0, ee net).

Esli Vasha versiya MSIE podderzhivaet takuyu vozmozhnost', vyberite Options iz menyu View. SHCHelknite na zakladke Advanced i v levom nizhnem uglu shchelknite na knopke Automatic Configuration. Vpishite URL Vashego fajla JavaScript. Potom perezapustite MSIE. MSIE budet pereschityvat' fajl JavaScript kazhdyj raz pri zapuske.

4.5 Nastrojka Netmanage Internet Chameleon WebSurfer

Netmanage WebSurfer podderzhivaet ruchnuyu nastrojku proksi i spisok isklyuchenij hostov ili domenov ne podlezhashchih keshirovaniyu (informaciya po versii WebSurfer 5.0). Vyberite Preferences iz menyu Settings. SHCHelknite na zakladke Proxies. Vyberite opciyu Use Proxy dlya HTTP, FTP, i gopher. Zatem dlya kazhdogo protokola vvedite imya ili IP adres Squid i nomer porta (po umolchaniyu, 3128) v pole Port. Ostal'nye polya ostav'te pustymi.

Vid ekrana prilagaetsya.

V etom zhe okne est' knopka vyzyvayushchaya okno isklyuchenij, gde mozhno zadat' hosty ili domeny, kotrye ne nado keshirovat'. Zdes' vid ekrana.

4.6 Kak sdelat', chtoby pol'zovateli brauzerov pol'zovalis' keshem bez ih nastrojki?

Mozhno sdelat' prozrachnoe keshirovanie na Linux, Solaris, i BSD versiyah. Smysl v tom, chto operacionnaya sistema perenapravlyaet nekotorye IP pakety prilozheniyu. |tot dokument na dannyj moment soderzhit instrukcii po nastrojke prozrachnogo keshirovaniya na Linux i Solaris.

4.6.1 Prozrachnyj proksi dlya Solaris, SunOS, i BSD sistem

Ishchite zdes' http://cheops.anu.edu.au/~avalon/ip-filter.html

4.6.2 Prozrachnyj proksi dlya Linux

[Contributed by Rodney van den Oever <Rodney.van.den.Oever@tip.nl>]

Warning: this technique has several significant shortcomings!

V fajle access.log ne otobrazhayutsya imena hostov v URL.
Vmesto etogo pechatayutsya ishodnye IP adresa. |to iz-za togo, chto adres naznacheniya opredelyaetsya sistemnym vyzovom getsockname(2). |to znachit, chto roditel'skij ili bratskij kesh rabotayut ne korrektno. Sami eti keshi pishut v URL'e imena, a ne IP adresa. |ti URL'y raznye i ne proishodit popadaniya v kesh pri povtornom zaprose. |to znachit, chto Vy teryaete preimushchestvo ot ierarhicheskogo proksi, esli ispol'zuete prozrachnoe keshirovanie.
Dannyj metod podderzhivaet tol'ko HTTP protokol, i ne podderzhivaet gopher ili FTP
Tak kak v brauzere ne ustanovlena podderzhka proksi, to on ispol'zuet FTP protokol (s 21 portom naznacheniya), a ne trebuemyj HTTP. Nel'zya zadat' pravila perenapravleniya na proksi, tak kak brauzer ispol'zuet drugoj protokol. Ta zhe situaciya i s gopher. Obychno vse zaprosy k proksi transliruyutsya klientom v HTTP protokol, no raz klient nichego ne znaet o perenapravlenii, to nichego ne proishodit.
Esli Vas takaya situaciya ustraivaet, vpered k kompilyacii yadra s podderzhkoj brandmauera i perenapravleniya. Zdes' privedeny vazhnye parametry iz /usr/src/linux/.config:
 #
 # Code maturity level options
 #
 CONFIG_EXPERIMENTAL=y
 #
 # Networking options
 #
 CONFIG_FIREWALL=y
 # CONFIG_NET_ALIAS is not set
 CONFIG_INET=y
 CONFIG_IP_FORWARD=y
 # CONFIG_IP_MULTICAST is not set
 CONFIG_IP_FIREWALL=y
 # CONFIG_IP_FIREWALL_VERBOSE is not set
 CONFIG_IP_MASQUERADE=y
 CONFIG_IP_TRANSPARENT_PROXY=y
 CONFIG_IP_ALWAYS_DEFRAG=y
 # CONFIG_IP_ACCT is not set
 CONFIG_IP_ROUTER=y
Zdes' http://www.xos.nl/linux/ipfwadm/ voz'mite ishodniki ipfwadm i ustanovite ego. Ipfwadm ponadobitsya dlya zadaniya pravil perenapravleniya. YA dobavil eti pravila v skript zapuskaemyj iz /etc/rc.d/rc.inet1 (Slackware) kotoryj ustanavlivaet interfejs v moment zagruzki. Perenapravlenie dolzhno byt' zaversheno do zadaniya lyubyh vhodnyh pravil. CHtoby ubedit'sya, chto eto rabotaet ya otklyuchil forwarding (masquerading).

/etc/rc.d/rc.firewall:

#!/bin/sh
# rc.firewall Linux kernel firewalling rules
FW=/sbin/ipfwadm

# Flush rules, for testing purposes
for i in I O F # A # If we enabled accouting too
do
${FW} -$i -f
done

# Default policies:
${FW} -I -p rej # Incoming policy: reject (quick error)
${FW} -O -p acc # Output policy: accept
${FW} -F -p den # Forwarding policy: deny

# Input Rules:

# Loopback-interface (local access, eg, to local nameserver):
${FW} -I -a acc -S localhost/32 -D localhost/32

# Local Ethernet-interface:

# Redirect to Squid proxy server:
${FW} -I -a acc -P tcp -D default/0 80 -r 80

# Accept packets from local network:
${FW} -I -a acc -P all -S localnet/8 -D default/0 -W eth0

# Only required for other types of traffic (FTP, Telnet):

# Forward localnet with masquerading (udp and tcp, no icmp!):
${FW} -F -a m -P tcp -S localnet/8 -D default/0
${FW} -F -a m -P udp -S localnet/8 -D default/0


Ves' traffik lokal'noj seti s lyubym adresom naznacheniya perenapravlyaetsya na lokal'nyj 80 port. Pravila mozhno posmotret' i oni budut vyglyadet' kak-to tak:
 IP firewall input rules, default policy: reject
 type prot source destination ports
 acc all 127.0.0.1 127.0.0.1 n/a
 acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 80
 acc all 10.0.0.0/8 0.0.0.0/0 n/a
 acc tcp 0.0.0.0/0 0.0.0.0/0 * -> *
Zdes' vazhnye ustanovki v squid.conf:
 http_port 80
 icp_port 3130
 httpd_accel virtual 80
 httpd_accel_with_proxy on
Vnimanie, virtual eto magicheskoe slovo zdes'!

YA protestiroval na Windows 95 kak s Microsoft Internet Explorer 3.01 tak i Netscape Communicator i eto rabotaet s oboimi s otklyuchennymi ustanovkami proksi.

Odin raz squid kazhetsya zaciklilsya kogda ya ukazal brauzeru na lokal'nyj 80 port. No etogo mozhno izbezhat' dobaviv stroku:

 ${FW} -I -a rej -P tcp -S localnet/8 -D dec/32 80


 IP firewall input rules, default policy: reject
 type prot source destination ports
 acc all 127.0.0.1 127.0.0.1 n/a
 rej tcp 10.0.0.0/8 10.0.0.1 * -> 80
 acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 80
 acc all 10.0.0.0/8 0.0.0.0/0 n/a
 acc tcp 0.0.0.0/0 0.0.0.0/0 * -> *
Zamechanie o preobrazovanii imen: Vmesto togo, chtoby prosto peredat' URL proksi, brauzer sam preobrazovyvaet ih. Udostover'tes', chto na rabochih stanciyah propisany lokal'nye DNS servera.

Esli na brandmauere ili proksi servere rabotaet DNS server (chto yavlyaetsya horoshej ideej IMHO) pust' rabochie stancii ispol'zuyut ego.


5 Opisanie raboty

5.1 Kak posmotret' sistemnuyu statistiku raboty Squid?

V sostav distributiva Squid vhodit CGI utilita cachemgr.cgi dlya prosmotra statistiki squid cherez brauzer. Dlya bol'shej informacii obratites' k razdelu, posvyashchennomu cachemgr.cgi.

5.2 CHto ya mogu uznat' iz log fajlov?

Fajly soderzhat razlichnuyu informaciyu o zagruzke i proizvoditel'nostie Squid. V log pishutsya krome informacii o dostupe, eshche i sistemnye oshibki i informaciya o potreblenii resursov, takih, naprimer, kak pamyat' ili diskovoe prostranstvo. Nizhe opisan format log fajlov Squid:

access.log, obshchij format:

 Host Ident - [D/M/Yr:H:M:S TZ] "Method URL" Status Size
access.log, Squid 1.0 rodnoj format:
 Time Elapsed Host Status/HTTP/Hier_Status Size Method URL
access.log, Squid 1.1 rodnoj format:
 Time Elapsed Host Status/HTTP Size Method URL Ident Hier_Status/Hier_Host
hierarchy.log, tol'ko Squid 1.0:
 [D/M/Yr:H:M:S TZ] URL Hier_Status Hier_Host
Zdes' opisanie formata raznyh komponentov log:
Host
IP adresa zaprashivaemyh hostov (v versii v1.1, esli zadano mozhet byt' FQDN).
Ident
Obychno '-'. V versii 1.1 otvet Ident (RFC 931), esli zadano.
Method
GET, HEAD, POST dlya TCP zaprosov ili ICP_QUERY dlya UDP zaprosov.
URL
Zaprashivaemyj ob容kt.
Status
Rezul'tat zaprosa (TCP_HIT dlya ranee keshiruemyh ob容ktov, TCP_MISS esli zaprashivaemyj ob容kt vzyat ne iz lokal'nogo kesha, UDP_HIT i UDP_MISS to zhe dlya bratskih zaprosov).
HTTP
Vozvrashchaemyj HTTP kod: 200 dlya udachnyh, 000 dlya UDP zaprosov, 403 dlya perenapravlenij, 500 dlya oshibok, i t.d.
Size
Kolichestvo bajt peredannyh klientu.
Hier_Status
Rezul'tat zaprosov k bratskim/roditel'skim kesham. Mozhet byt' PARENT_MISS, SIBLING_HIT i t.d.
Hier_Host
Host, s kotorogo vzyat ob容kt.
Time
Vremya s Jan 1, 1970 v millisekundah.
Elapsed
Zatrachennoe vremya v millisekundah.

5.3 Kakie log fajly ya mogu udalyat'?

CHtoby sohranit' log fajly, luchshe poslat' processu squid signal USR1. |to privedet k tomu, chto tekushchie log fajly budut zakryty i pereimenovany. Posle etogo mozhno udalyat' starye log fajly. Naprimer,esli Vash fajl squid.pid nahoditsya v/usr/local/squid/logs/squid.pid (kak zadano v squid.conf) nado sdelat' sleduyushchee:

kill -USR1 `cat /usr/local/squid/logs/squid.pid`

Primechanie: Stroka logfile_rotate v squid.conf delaet neobyazatel'nym ruchnoe udalenie staryh log fajlov. Prosto ustanovite znachenie logfile_rotate v zhelaemuyu velichinu. Kak tol'ko znachenie logfile_rotate budet dostignuto, staryj log budet udalen avtomaticheski. Vystavite nuzhnoe znachenie logfile_rotate i propishite v crontab posylku squid 'u signala SIGUSR1, naprimer v polnoch' kazhdogo dnya:

0 0 * * * /bin/kill -USR1 `cat /usr/local/squid/logs/squid.pid`

Edinstvennyj fajl, kotryj nel'zya udalyat' eto log, kotoryj obychno nahoditsya v pervoj cache_dir direktorii. |tot fajl soderzhiit dannye, neobhodimye dlya vosstanovleniya kesha prizapuske Squid. Udalenie etogo fajla privedet k potere kesha.

5.4 Kak mne najti samyj bol'shoj ob容kt kesha?

sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25

5.5 YA hochu perezapustit' Squid s chistym keshem

Pervyj sposob, dobavit' -z v komandnoj stroke.

Drugoj, vozmozhno bolee prostoj, udalit' fajl log iz direktorii cache_dir.


6 Kesh-menedzher

[Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk>]

6.1 CHto takoe kesh-menedzher?

Kesh-menedzher (cachemgr.cgi) eto CGI utilita dlya prosmotra statistiki rabotayushchego processa squid. Kesh-menedzher eto prostoj sposob upravleniya keshem i prosmotra statistiki bez zahoda na server.

6.2 Kak ego ustanovit'?

Prezhde vsego eto zavisit ot web servera, kotoryj Vy ispol'zuete. Nizhe Vy najdete instrukcii po nastrojke CERN i Apache serverov dlya pol'zovaniya cachemgr.cgi.

Posle togo kak Vy izmenili konfiguracionnye fajly servera, nuzhno ili perezapustit' web server, libo poslat' emu SIGHUP, chtoby on pereschital fajly nastrojki.

Kogda Vy zakonchite konfigurirovat' web server, to smozhete podklyuchit'sya brauzerom k kesh-menedzheru po URL:

http://www.example.com/Squid/cgi-bin/cachemgr.cgi

6.3 Nastrojka CERN httpd 3.0 dlya raboty s kesh-menedzherom

Vo-pervyh, sleduet ubedit'sya, chto tol'ko ukazannye rabochie stancii imeyut dostup k kesh-menedzheru. Ih nado zadat' v CERN httpd.conf, a ne v squid.conf.
 Protection MGR-PROT {
 Mask @(workstation.example.com)
 }
Mozhno zadavat' shablonami, IP adresami, v tom chisle i cherez zapyatuyu. Vozmozhny i drugie sposoby zashchity. Obratites' k dokumentacii po serveru.

Takzhe sleduet dobavit':

 Protect /Squid/* MGR-PROT
 Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi
chtoby otmetit' dlya MGR-PROT, chto skript vypolnyaemyj.

6.4 Nastrojka Apache dlya raboty s kesh-menedzherom

Snachala ubedites', chto direktoriya cgi-bin propisana v ScriptAlias v fajle srm.conf Vashego Apache, kak-to tak:
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
Ne sovetuem delat' ScriptAlias na vsyu direktoriyu /usr/local/squid/bin gde lezhat binarniki Squid.

Zatem, nado zadat' rabochie stancii imeyushchie dostup k kesh-menedzheru. |to zadaetsya v fajle access.conf Apache, a ne v squid.conf. V konce access.conf, vstav'te:

 <Location /Squid/cgi-bin/cachemgr.cgi>
 order deny,allow
 deny from all
 allow from workstation.example.com
 </Location>
Mozhno vpisat' neskol'ko strok, mozhno dobavit' domeny ili seti.

Takzhe, cachemgr.cgi mozhet byt' zashchishchen parolem. Nado dobavit' sleduyushchie stroki v access.conf:

 <Location /Squid/cgi-bin/cachemgr.cgi>
 AuthUserFile /path/to/password/file
 AuthGroupFile /dev/null
 AuthName User/Password Required
 AuthType Basic
 <Limit GET>
 require user cachemanager
 </Location>
V dokumentacii Apache Vy najdete informaciyu ob ispol'zovanii htpasswd dlya zadaniya parolya.

6.5 Zadanie ACL (spiska pol'zovatelej) dlya kesh-menedzhera v squid.conf

Po umolchaniyu dostup k kesh-menedzheru zadan v squid.conf tak:
 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl all src 0.0.0.0/0.0.0.0
So sleduyushchimi pravami:
 http_access deny manager !localhost
 http_access allow all
Pervaya zapis' v ACL nuzhna dlya kesh-menedzhera, tak kak on dlya oprosa squid ispol'zuet special'nyj cache_object protokol. Mozhete sami poprobovat':

telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0

Po umolchaniyu, esli zapros dlya cache_object, i zapros ne s lokal'noj mashiny, to dostup budet zakryt, v protivnom sluchae - otkryt.

Fakticheski, tak kak dostup razreshen tol'ko s lokal'noj mashiny, to v pole cachemgr.cgi mozhno ukazat' v kachestve kesh hosta localhost. My rekomenduem sleduyushchee:

 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl example src 123.123.123.123/255.255.255.255
 acl all src 0.0.0.0/0.0.0.0
Gde 123.123.123.123 eto IP adres Vashego web servera. Zatem izmenite pravila tak:
 http_access deny manager !localhost !example
 http_access allow all
Po umolchaniyu podrazumevaetsya, chto web server nahoditsya na toj zhe mashine, chto i squid. Uchtite, chto obrashchenie kesh-menedzhera k squid proishodit cherez web server, a ne brauzer. Tak chto, esli Vash web server nahoditsya gde-to v drugom meste, IP adres web servera, na kotorom ustanovlen cachemgr.cgi dolzhen byt' ukazan vmesto example v vysheprivedennom primere.

Ne zabyvajte kazhdyj raz posle izmeneniya squid.conf posylat' SIGHUP squid'u.

6.6 Pochemu on sprashivaet u menya kakoj-to parol' i URL?

Esli Vy posmotrite v vypadayushchem spiske, to uvidite, chto parol' nuzhen tol'ko dlya ostanovki kesha, a URL nuzhen dlya obnovleniya ob容kta (to est', povtornogo polucheniya ego s ishodnogo servera). Dlya polucheniya informacii ot cachemgr.cgi parol' ne trebuetsya.

6.7 YA hochu udalenno ostanovit' kesh. Kakoj parol'?

V squid.conf est' direktiva cachemgr_passwd.

6.8 Kak sdelat', chtoby v pole cache host po umolchaniyu bylo imya moego kesha?

Najdite v fajle Makefile.in sleduyushchuyu stroku:
 HOST_OPT = # -DCACHEMGR_HOSTNAME="getfullhostname()"
Esli web server s cachemgr.cgi zapushchen na toj zhe mashine, chto i Squid prosto uberite #. Esli zhe web server kakoj-to drugoj, to:
 HOST_OPT = -DCACHEMGR_HOSTNAME=\"mycache.example.com\"
Posle etih izmenenij sleduet perekompilirovat' i pereustanovit' cachemgr.cgi.

6.9 Kakaya raznica mezhdu TCP i UDP soedineniyami Squid?

Brauzery i keshi ispol'zuyut TCP soedineniya dlya polucheniya ob容ktov s web serverov ili keshej. UDP soedineniya ispol'zuyutsya kogda drugoj kesh ispol'zuet Vash v kachestve bratskogo ili roditel'skogo na predmet nalichiya nuzhnogo ob容kta. UDP soedineniya eto ICP zaprosy.

6.10 On govorit, chto srok hraneniya kesha istechet v 1970 godu!

Ne volnujtes'. Obychnoe (i v obshchem-to razumnoe) povedenie squid eto perezapisyvat' ob容kty, srok hraneniya kotoryh istek.

6.11 CHto znachat zapisi meta-dannyh?

StoreEntry
Zapis' opisyvaet ob容kt kesha.
IPCacheEntry
Zapis' v keshe DNS.
Hash link
Zveno v strukture hesh-tablicy.
URL strings
Sami stroki URL, ukazyvayushchie na nomer ob容kta v keshe, pozvolyayushchie obrashchat'sya k StoreEntry.
V osnovnom pohozhe na log fajl v direktorii cache:
PoolMemObject structures
Informaciya ob ob容ktah nahodyashchihsya v pamyati, (naprimer, v processe peredachi).
Pool for Request structures
Informaciya o kazhdom zaprose.
Pool for in-memory object
Prostranstvo dlya prinyatyh ob容ktov.

6.12 Pool for in-memory object ogromen i ne stanovitsya men'she! |to chto utechka pamyati?

Net. |tot pul tol'ko uvelichivaetsya. On raven samomu bol'shomu ob容ktu kogda libo keshiruemomu squid . Esli Vy ne hotite, chtoby on byl takogo razmera, umen'shite znachenie cache_mem i razmer ob容ktov dlya gopher, http i ftp v squid.conf.

6.13 Znachenie polya "Total accounted" ne sovpadaet s razmerom zanimaemym moim squid!

Esli eto znachenie blizko k upomyanotumu, ne volnujtes'. Esli squid zanimaet namnogo bol'she, vozmozhno eto utechka pamyati, i vse chto mozhno delat' eto zhdat' novyh patchej i vremya ot vremeni perezapuskat' squid.

Esli squid zanimaet gorazdo men'she, chem v etom pole, bud'te ostorozhny! CHto-to ne tak, sleduet perezapustit' squid.

6.14 V razdele utilization, chto est' Other?

Other eto kategoriya, v katoruyu popadayut ob容kty ne popavshie ni v kakuyu druguyu.

6.15 V razdele utilization, pochemu kolonka Transfer KB/sec vsegda nulevaya?

|ta kolonka soderzhit gruboe priblizhenie otnosheniya peredannyh dannyh k polnomu vremeni raboty kesha. |ti dannye nenadezhnye i prakticheski bespoleznye.

6.16 V razdele utilization, chto znachit Object Count?

CHislo ob容ktov dannogo tipa, nahodyashchihsya v dannyj moment v keshe.

6.17 V razdele utilization, chto znachit Max/Current/Min KB?

|to otnositsya k uvelichivaemomu/tekushchemu/umen'shaemomu razmeru vseh ob容ktov etogo tipa.

6.18 O chem razdel I/O?

|to gistogrammy chisla bajt vzyatyh iz seti vyzovom read(2). Dovol'no polezny dlya opredeleniya maksimal'nogo razmera buferov.

6.19 CHto nahoditsya v razdele Objects?

Preduprezhdenie: v etom razdele Vash brauzer poluchit spisok vseh URL kesha i statistiku o nih. On mozhet byt' ochen', ochen' bol'shim. Inogda on mozhet byt' bol'she, chem dostupnaya Vashemu klientu pamyat'! Veroyatno Vam eta informaciya nikogda ne ponadobitsya.

6.20 Dlya chego razdel VM Objects?

VM Objects eto ob容kty nahodyashchiesya v virtual'noj pamyati. |ti ob容kty uzhe skacheny i nahodyatsya v pamyati dlya bystrogo dostupa k nim.

6.21 CHto znachit AVG RTT?

Average Round Trip Time. Pokazyvaet srednee vremya, proshedshee ot posylki ICP ping do prihoda otveta.

6.22 V razdele IP cache , kakaya raznica mezhdu hit, negative hit i miss?

HIT znachit, chto dokument najden v keshe. MISS, chto ne najden. Negative hit oznachaet, chto on nahodilsya v keshe, no ne sushchestvuet.

6.23 CHto znachit soderzhimoe razdela IP cache?

Hostname eto imya, kotoroe sleduet preobrazovat'.

Dlya kolonki Flags:

C
Keshirovan.
N
Ne keshirovan.
P
Zapros otlozhen dlya posylki.
D
Zapros poslan i ozhidaetsya otvet.
L
Zapis' blokirovana, potomu chto vystupaet v roli roditelya ili brata.
V kolonke TTL predstavleny "Time To Live" (to est', kak dolgo zapis' v keshe dejstvitel'na). (Mozhet byt' otricatel'nym, esli srok hraneniya dokumenta istek.)

Kolonka N eto chislo IP adresov, kotorye imeet dannyj hostname.

V konce stroki perechisleny ostal'nye IP adresa, otnosyashchiesya k etoj zapisi v IP cache.

6.24 Kak analizirovat' ispol'zovanie pamyati iz dannyh cachemgr.cgi?

Vzglyanite na stranicu Cache Information Vashego cachemgr.cgi. Naprimer:
 Memory usage for squid via mallinfo():
 Total space in arena: 94687 KB
 Ordinary blocks: 32019 KB 210034 blks
 Small blocks: 44364 KB 569500 blks
 Holding blocks: 0 KB 5695 blks
 Free Small blocks: 6650 KB
 Free Ordinary blocks: 11652 KB
 Total in use: 76384 KB 81%
 Total free: 18302 KB 19%


 Meta Data:
 StoreEntry 246043 x 64 bytes = 15377 KB
 IPCacheEntry 971 x 88 bytes = 83 KB
 Hash link 2 x 24 bytes = 0 KB
 URL strings = 11422 KB
 Pool MemObject structures 514 x 144 bytes = 72 KB ( 70 free)
 Pool for Request structur 516 x 4380 bytes = 2207 KB ( 2121 free)
 Pool for in-memory object 6200 x 4096 bytes = 24800 KB ( 22888 free)
 Pool for disk I/O 242 x 8192 bytes = 1936 KB ( 1888 free)
 Miscellaneous = 2600 KB
 total Accounted = 58499 KB
V pervoj stroke mallinfo() soobshchaet, chto ispol'zuetsyar 94M. |to znachenie blizko k tomu, chto pokazyvaet top (97M).

Iz etih 94M, 81% (76M) real'no ispol'zuetsya v etot moment. Ostal'noe vysvobozhdeno, ili zarezervirovano malloc(3) i poka ne ispol'zuetsya.

Iz 76M ispol'zuemyh, mozhno rasschityvat' na 58.5M (76%). Ostal'noe otvedeno pod vyzovy malloc(3).

Spisok Meta Data soderzhit informaciyu o tom, kuda potrachena dostupnaya pamyat'. 45% ushlo na StoreEntry i hranenie URL strok. Drugie 42% potracheny na hranenie ob容ktov v virtual'noj pamyati, poka oni dostavlyayutsya klientam (Pool for in-memory object).

Razmery pula zadayutsya v squid.conf. V versii 1.0, oni neskol'ko tupovatye: tam hranitsya stek neispol'zovannyh stranic, vmesto togo chtoby osvobozhdat' etot blok. V Pool for in-memory object, razmer etogo steka sostavlyaet 1/2 cache_mem. Razmer Pool for disk I/O zhestko zadan v 200. Dlya MemObject i Request eto 1/8 velichiny FD_SETSIZE.

Esli Vam nuzhno snizit' kolichestvo pamyati processa, my rekomenduem umen'shit' maksimal'nye razmery ob容ktov v strokah 'http', 'ftp' i 'gopher' konfiguracii. Takzhe mozhno umen'shit' cache_mem. No esli sdelat' cache_mem slishkom malen'kim, to nekotorye ob容kty mogut ne sohranyat'sya na disk pri bol'shoj zagruzke. Novye versii Squid pozvolyayut zadat' memory_pools off otklyuchaya takim obrazom pul svobodnoj pamyati.

6.25 CHto takoe fqdncache i chem otlichaetsya ot ipcache?

IPCache soderzhit dannye o preobrazovanii Hostname v IP-Number, a FQDNCache soderzhit obratnye dannye.

Naprimer:

==============================================================================



IP Cache Contents:
Hostname Flags lstref TTL N [IP-Number]
gorn.cc.fh-lippe.de C 0 21581 1 193.16.112.73
lagrange.uni-paderborn.de C 6 21594 1 131.234.128.245
www.altavista.digital.com C 10 21299 4 204.123.2.75 204.74.103.37 204.123.2.66 204.123.2.69
2/ftp.symantec.com DL 1583 -772855 0



Flags: C --> V keshe
 D --> Otpravlen
 N --> Ne keshirovan
 L --> Blokirovan

lstref: Vremya s momenta poslednego ispol'zovaniya
 TTL: Time-To-Live (vremya zhizni) poka ne istechet srok hraneniya informacii
 N: CHislo adresov



==============================================================================



FQDN Cache Contents:

IP-Number Flags TTL(?) N Hostname]

130.149.17.15 C -45570 1 andele.cs.tu-berlin.de
194.77.122.18 C -58133 1 komet.teuto.de
206.155.117.51 N -73747 0

Flags: C --> V keshe
 D --> Otpravlen
 N --> Ne keshirovan
 L --> Blokirovan
 TTL: Time-To-Live
 N: CHislo imen

7 Troubleshooting

7.1 Pochemu u menya net dostupa k proksi: "Proxy Access Denied"?

Esli squid rabotaet v rezhime httpd-uskoritelya, to vse HTTP zaprosy on perenapravlyaet na HTTP server, no ne rabotaet kak proksi. Esli Vy hotite, chtoby Vash kesh takzhe otrabatyval proksi-HTTP zaprosy, nado sdelat' sleduyushchee:

http_accel_with_proxy on

Takzhe, vozmozhno Vy nepravil'no zadali ACL. Prover'te fajly access.log i squid.conf.

7.2 Ne rabotaet local_domain.

Squid keshiruet ob容kty iz lokal'nogo domena.

Direktiva local_domain ne zapreshchaet keshirovat' lokal'nye ob容kty. Ona predotvrashchaet ispol'zovanie bratskih keshej dlya lokal'nyh ob容ktov. Esli Vam vse taki eto nuzhno, to vospol'zujtes' opciyami cache_stoplist ili http_stop (v zavisimosti ot versii).

7.3 Kogda kesh pytaetsya poluchit' ob容kt s bratskogo kesha, poluchaet Connection Refused, dazhe kogda tot kesh schitaet, chto ob容kt poluchen uspeshno.

Esli ICP port vernyj, a HTTP port-net, to ICP zaprosy budut posylat'sya normal'no, a ICP otvety zastavyat kesh dumat', chto vse v poryadke, no sami ob容kty budut propadat'. Esli bratskij kesh izmeniit svoj http_port, to u Vas budut te zhe problemy nekotoroe vremya do uvedomleniya.

7.4 Ne hvataet fajlovyh deskriptorov

|to byvaet, kogda poyavlyaetsya soobshchenie Too many open files. Vozmozhno iz-za operacionnoj sistemy s nizkim chislom fajlovyh deskriptorov. |tot predel obychno mozhno zadat' v yadre ili pri pomoshchi drugih sredstv. Sushchestvuet dva puti ischerpat' limit fajlovyh deskriptorov: pervyj, eto limit na kazhdyj process, vtoroj - na obshchee chislo deskriptorov na vse processy.

Dlya Linux, est' patch filehandle.patch.linux ot Michael O'Reilly <michael@metal.iinet.net.au>.

Dlya Solaris, dobav'te sleduyushchee v fajl /etc/system:

set rlim_fd_max = 4096
set rlim_fd_cur = 1024

Takzhe sleduet zadat' #define SQUID_FD_SETSIZE v include/config.h v to zhe znachenie, chto i rlim_fd_max. Ne sleduet zadavat' men'she 4096.

Solaris select(2) pozvolyaet zadat' tol'ko 1024 deskriptora, esli nado bol'she otredaktirujte src/Makefile i razreshite $(USE_POLL_OPT). Potom peresoberite squid.

Dlya FreeBSD (ot Torsten Sturm <torsten.sturm@axis.de>):

Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
Po komande sysctl -a znachenie kern.maxfilesperproc.
Kak ih uvelichit'?
sysctl -w kern.maxfiles=XXXX

sysctl -w kern.maxfilesperproc=XXXX
Vnimanie: Uvelichivaya znacheniya, uchityvajte sootnoshenie maxfiles > maxfilesperproc.
Kakoj verhnij predel?
YA ne dumayu, chto est' formal'noe ogranichenie vnutri yadra. Ved' struktury pod dannye vydelyayutsya dinamicheski. Na praktike zhe, mogut voznikat' neponyatnye yavleniya (naprimer, yadro budet tratit' slishkom mnogo vremeni na poisk v tablicah).
Dlya bol'shinstva BSD-sistem (SunOS, 4.4BSD, OpenBSD, FreeBSD, NetBSD, BSD/OS, 386BSD, Ultrix) mozhno reshit' zadachu "v lob" (trebuetsya peresborka yadra):
Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
Po komande pstat -T znachenie files, obychno otobrazhaemoe kak otnoshenie current/maximum.
Kak uvelichit' eto znachenie?
Pervyj metod - uvelichit' znachenie peremennoj maxusers v konfiguracii yadra i peresobrat' ego. |to ochen' bystryj i prostoj metod, no privodit k uvelicheniyu ryada drugih peremennyh, menyat' kotorye Vam mozhet i ne nado.
A sushchestvuet bolee tochnyj sposob?
Najti fajl param.c v ishodnikah yadra i izmenit' sootnoshenie mezhdu maxusers i maksimal'nym chislom otkrytyh fajlov po nizheprivedennym vyrazheniyam.
Vot neskol'ko primerov:
SunOS
Izmenite znachenie nfile v /usr/kvm/sys/conf.common/param.c menyaya znacheniya v etom vyrazhenii:

int nfile = 16 * (NPROC + 16 + MAXUSERS) / 10 + 64;
Gde NPROC opredelyaetsya kak:
#define NPROC (10 + 16 * MAXUSERS)
FreeBSD (nachinaya s yadra 2.1.6)
Ochen' pohozhe na SunOS, otredaktirujte /usr/src/sys/conf/param.c vychisliv sootnoshenie mezhdu peremennymi maxusers, maxfiles i maxfilesperproc:

int maxfiles = NPROC*2;
int maxfilesperproc = NPROC*2;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Ogranichenie chisla deskriptorov na process takzhe mozhet byt' zadano v konfiguracii yadra etoj direktivoj:
options OPEN_MAX=128
BSD/OS (nachinaya s yadra 2.1)
Poprav'te /usr/src/sys/conf/param.c i zadajte maxfiles v sootvetstvii s:

int maxfiles = 3 * (NPROC + MAXUSERS) + 80;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Takzhe sleduet zadat' znachenie OPEN_MAX, chtoby izmenit' ogranichenie chisla deskriptorov na process.
Zamechanie: Posle peresborki yadra neobhodimo otkompilirovat' zanovo Squid. Konfiguracionnyj skript Squid'a opredelyaet skol'ko fajlovyh deskriptorov dostupno, tak chto nado zapustit' skript zanovo. Naprimer:
 cd squid-1.1.x
 make realclean
 ./configure --prefix=/usr/local/squid
 make

7.5 Moj squid periodicheski vyvalivaetsya s oshibkoj, chto ne mozhet malloc(3) bol'she pamyati, no u menya dostatochno OZU!

Krome ogranicheniya na chislo fajlovyh deskriptorov, mnogie sistemy imeyut ogranichenie na kolichestvo pamyati, vydelyaemoe processu, v osobennosti ne-root processam. BSD/OS imeet dovol'no nizkij predel, kotoryj Vy mozhete uvelichit'. Izmenite fajl konfiguracii yadra, dobaviv eti stroki:
options DFLDSIZ=67108864 # 64 meg default max data size (was 16)
options MAXDSIZ=134217728 # 128 meg max data size (was 64)
Peresoberite yadro i perezagruzite mashinu.

V Digital UNIX, otredaktirujte fajl /etc/sysconfigtab i dobav'te stroku...

proc:
 per-proc-data-size=1073741824
Ili, v csh, ispol'zuya komandu limit ...
zpoprp.zpo.dec.com> limit datasize 1024M

Redaktirovanie /etc/sysconfigtab trebuet perezagruzki, a komanda limit - net.

7.6 CHto za strannye stroki ob udalenii ob容ktov?

Naprimer:
97/01/23 22:31:10| Removed 1 of 9 objects from bucket 3913
97/01/23 22:33:10| Removed 1 of 5 objects from bucket 4315
97/01/23 22:35:40| Removed 1 of 14 objects from bucket 6391
Obychnye stroki log fajla, no oni ne znachat, chto squid dostig cache_swap_high.

Na stranice cache information vcachemgr.cgi najdite stroku tipa etoj:

 Storage LRU Expiration Age: 364.01 days
Ob容kty, kotorye ne ispol'zovalis' dannoe kolichestvo vremeni, udalyayutsya kak rezul'tat regulyarnyh rabot. Vy mozhete zadat' sobstvennoe znachenie LRU Expiration Age pri pomoshchi reference_age v konfiguracionnom fajle.

7.7 Pochemu ya ne mogu zadat' cache_effective_user v nobody pod Linux?

Neskol'ko pol'zovatelej soobshchali, chto oni ne mogut zadat' cache_effective_user v nobody pod Linux i server soobshchaet:
FATAL: Don't run Squid as root, set 'cache_effective_user'!
Odnako, esli ustanovit' cache_effective_user ne v nobody, to vse OK. Pervoe reshenie, eto sozdat' pol'zovatelya dlya Squid i ustanovit' dlya nego cache_effective_user.

Takzhe mozhno pomenyat' UID nobody s 65535 na 65534.

7.8 Mogu ya ukazat' Windows NT FTP serveru vyvodit' direktorii v Unix formate?

Pochemu by i net! Vyberite sleduyushchie punkty menyu: Dvazhdy shchelknite na ftp.

Dal'she nado vybrat' server (dolzhen byt' tol'ko odin), potom vyberite "Properties" iz menyu, zakladku "directories", budet opciya "Directory listing style." Vyberite "Unix" type, a ne "MS-DOS" type.

--Oskar Pearson <oskar@is.co.za>

7.9 Pochemu tak chasto poyavlyayutsya soobshcheniya ERR_NO_CLIENTS_BIG_OBJ?

|to znachit, chto zaprashivaemyj ob容kt nahodilsya v rezhime "Udalit' pozzhe" i pol'zovatel' otkazalsya ot peredachi. Ob容kt popadet v rezhim "Udalit' pozzhe" esli on:
  1. bol'she, chem maximum_object_size
  2. dostavlen s sosednego kesha, u kotorogo ustanovlena opciya proxy-only.

7.10 Pochemu Squid trebuet tak mnogo pamyati!?

Squid potomu takoj bystryj i mozhet obrabatyvat' odnovremenno neskol'ko zaprosov, chto ispol'zuet mnogo pamyati. Dlya nachala, prosmotrite eti razdely FAQ: Takzhe mozhno povysit' proizvoditel'nost' linkuya Squid s vneshnej malloc bibliotekoj. My rekomenduem:

7.11 Pochemu ya poluchayu "Ignoring MISS from non-peer x.x.x.x"?

Vy poluchaete ICP MISS (cherez UDP) s roditel'skogo ili bratskogo kesha, chej IP adres Vashemu keshu ne izvesten. |to mozhet byt' v dvuh sluchayah.

(1) Esli na tom konce neskol'ko interfejsov i pakety idut s togo, kotoryj ne propisan v DNS. Voobshche-to, eto ih problema. Vy mozhete skazat' im ili propisat' IP adres interfejsa v DNS, ili ispol'zovat' opciyu Squid 'udp_outgoing_address'.

Naprimer:

# (squid.conf roditel'skogo kesha)
#
udp_outgoing_address proxy.parent.com


# (Vash squid.conf)
#
cache_host proxy.parent.com parent 3128 3130
(2) Takzhe eto soobshchenie budet poyavlyat'sya pri posylke ICP zaprosov na neskol'ko adresov. Dlya obespecheniya bezopasnosti, Squid trebuet zadaniya v konfiguracii spiska drugih keshej, slushayushchih gruppu adresov. Esli neizvestnyj kesh slushaet etot adres i shlet otvety, vash kesh budet pisat' v log eti soobshcheniya. CHtoby ispravit' nado, libo skazat' etomu keshu perestat' slushat' adresa, ili, esli on zakonnyj, dobav'te ego v fajl konfiguracii.

8 Kak Squid rabotaet?

8.1 Kakie ob容kty keshiruyutsya?

Ob容kty Internet takie kak fajl, dokument, ili otvet na zapros sleduyushchih servisov: FTP, HTTP, ili gopher. Klient zaprashivaet ob容kt Internet s keshiruyushchego proksi, proksi server poluchaet ob容kt (libo s hosta, ukazannogo v URL, libo s roditel'skogo ili bratskogo kesha), perepravlyaya ego klientu.

8.2 CHto za protokol ICP?

ICP eto protokol ispol'zuemyj dlya obshcheniya keshej squid. ICP protokol opisan v Internet Cache Protocol, 2 proekte dokumenta, nahodyashchemsya po adresu http://www.nlanr.net/Cache/ICP/ICP-id.txt.

ICP prezhde vsego ispol'zuetsya v ierarhii keshej dlya poiska opredelennyh ob容ktov v bratskih keshah. Esli squid ne nahodit nuzhnogo dokumenta, to posylaet ICP zapros bratskim kesham, kotorye v svoyu ochered' otvechayut ICP otvetami "HIT" ("popadanie") ili "MISS" ("promah"). Zatem kesh ispol'zuet otvety dlya vybora pri pomoshchi kakogo kesha razreshat' svoi otvety MISS.

ICP takzhe podderzhivaet slozhnye peredachi mnozhestva ob容ktov cherez odno TCP soedinenie. ICP sejchas rabotaet poverh UDP. Tekushchie versii Squid takzhe podderzhivayut mnozhestvennye zaprosy ICP.

8.3 CHto takoe dnsserver?

Dnsserver eto process iniciiruemyj squid dlya preobrazovaniya domennyh imen v IP adresa. Neobhodimost' voznikaet iz-za togo, chto funkciya gethostbyname(3) blokiruet vyzyvayushchij process do zazresheniya DNS zaprosa.

U Squid ne dolzhen blokirovat'sya process vvoda/vyvoda, poetomu DNS obrashcheniya vypolneny kak vneshnij k osnovnomu process. Processy dnsserver ne keshiruyut zaprosy DNS, eto delaetsya samim squid`om.

8.4 Dlya chego nuzhna programmftpget?

Programma ftpget eto FTP klient, ispol'zuyushchijsya dlya skachivaniya fajlov s FTP serverov. Iz-za togo, chto FTP protokol neprostoj, proshche vypolnit' ego otdel'no ot osnovnogo koda squid.

8.5 FTP PUT ne rabotaet

Pohozhe,chto FTP put ne rabotaet cherez squid. Mozhno li kak-nibud' eto ispravit' i/ili vedetsya li kakaya-nibud' rabota v etom napravlenii.

Na dannyj moment net, dlya podderzhki etogo nuzhna budet programma ftpput.

8.6 CHto takoe ierarhiya keshej? CHto takoe roditel'skie i bratskie keshi?

Ierarhiya keshej eto struktura keshiruyushchih proksi-serverov raspolozhennyh logicheski kak roditel'skij/dochernij i bratskij uzly, takim obrazom, chto keshi blizhajshie k kanalu v Internet yavlyayutsya roditelyami tem, kotorye nahodyatsya dal'she ot tochki vhoda v Internet. Roditel'skie keshi obrabatyvayut "promahi" dochernih. Inache govorya, kogda kesh zaprashivaet ob容kt s roditelya, i u togo v keshe ego ne okazyvaetsya, roditel'skij kesh skachivaet ob容kt, keshiruet ego, i peredaet dochernemu. Takim obrazom, pri pomoshchi ierarhii dostigaetsya maksimal'naya razgruzka kanala, snizhaetsya ispol'zovanie vneshnih serverov Internet i poluchaetsya bol'shee chislo "popadanij" dochernih keshej, po sravneniyu s roditel'skimi, za schet bol'shego kesha poslednih.

Krome roditel'skih/dochernih otnoshenij, squid podderzhivaet ponyatie bratskih keshej, to est' nahodyashchihsya na odnom urovne ierarhii, prizvannyh raspredelit' nagruzku. Kazhdyj kesh v ierarhii nezavisimo ni ot kogo reshaet otkuda brat' ob容kt, libo s servera v Internet, libo s roditel'skogo ili bratskogo kesha, ispol'zuya prostoj mehanizm razresheniya. Bratskie keshi ne budut zabirat' ob容kt dlya drugogo kesha togo zhe urovnya, poluchiv ot nih "promah".

8.7 Kakov algoritm razresheniya kesha Squid?

  1. Razoslat' ICP zaprosy vsem sootvetstvuyushchim bratskim kesham
  2. Dozhdat'sya vseh otvetov, prishedshih v techenie zadannogo vremeni (po umolchaniyu dve sekundy).
  3. Poluchiv pervyj otvet HIT nachat' skachivanie ob容kta , ili
  4. Vzyat' ob容kt s pervogo roditel'skogo kesha, otvetivshego MISS (zavisit ot vesovyh koefficientov), ili
  5. Zabrat' ob容kt iz Internet
Algoritm stanovitsya otchasti bolee slozhnym pri vklyuchenii v shemu brandmauera.

Direktiva single_parent_bypass predotvrashchaet rassylku ICP zaprosov, v sluchae kogda sootvetstvuyushchij bratskij kesh eto roditel'skij (to est', esli bol'she neotkuda brat' ob容kt, zachem naprasno zaprashivat'?)

8.8 Nad kakimi vozmozhnostyami Squid razrabotchiki sejchas rabotayut?

Est' neskol'ko otkrytyh proektov kasayushchihsya luchshego avtomaticheskogo vyravnivaniya nagruzki, takzhe (dinamicheskogo i staticheskogo) vybora roditel'skih keshej, routinga, mnozhestvennyh kesh-kesh obrashchenij i luchshego raspoznavaniya URL, kotorye ne nado keshirovat'.

Tekushchij spisok budushchih vozmozhnostej, dostupen zdes' http://squid.nlanr.net/Squid/Devel/todo.html.

Razrabotchikam budushchih versij sleduet obratit'sya syuda http://squid.nlanr.net/Squid/Devel/.

8.9 Gde najti informaciyu o zagruzke Internet trafika

Zagruzku mozhno oharakterizovat' kak tyazhest' vozlagaemaya pol'zovatelem ili gruppoj pol'zovatelej na sistemu. Ponimanie prirody zagruzki ochen' vazhno pri upravlenii proizvoditel'nost'yu sistemy. Esli Vy interesuetes' zagruzkoj Internet trafika, to dlya nachala shodite syuda http://www.nlanr.net/NA/.

8.10 Kakie preimushchestva keshirovaniya sovmestno s keshiruyushchej sistemoj NLANR?

Preimushchestva ierarhicheskogo keshirovaniya zaklyuchayutsya v snizhenii zagruzki kanala, umen'shenii vremeni dostupa, luchshej ustojchivosti k sboyam. Keshi verhnego urovnya obsluzhivayut zaprosy nizhestoyashchih..Esli srednij procent popadaniya kraevogo kesha 50%, polovina vseh ssylok kraevyh keshej dolzhna obrabatyvat'sya cherez kesh vtorogo urovnya, nezheli napryamuyu s ishodnogo hosta. Esli etot kesh vtorogo urovnya soderzhit bol'shinstvo zaprashivaemyh dokumentov, to vyigrysh dostigaetsya, no esli kesh verhnego urovnya chashche vsego ne imeet nuzhnyj dokument, ili peregruzhen, to vremya dostupa vmesto snizheniya uvelichivaetsya.

8.11 Gde najti informaciyu po brandmaueram?

Smotrite spisok rassylki i FAQ zdes' http://www.greatcircle.com/firewalls/
$Id: footer,v 1.3 1997/03/13 16:19:52 wessels Exp $

Last-modified: Tue, 01 Dec 1998 21:18:05 GMT
Ocenite etot tekst: