Reprinted from: http://zhumeng8337797.blog.163.com/blog/static/10076891420118954728980/
acl allowuser 192.168.1.1/32 cache_peer 192.168.1.50 parent 81 0 no-query originserver weight=1 name=a
cache_peer 192.168.1.50 parent 82 0 no-query originserver weight=1 name=b
cache_peer 192.168.1.50 parent 80 0 no-query originserver weight=1 name=c
cache_peer_domain a www.serverA.com
cache_peer_domain b www.serverB.com cache_peer_domain c www.serverC.com
#The above six lines configuration means:
#The request from the client, if it is www.serverA.com, Squid sends a request to port 81 of Server 192.168.1.50;
#The request from the client, if it is www.serverB.com, Squid sends a request to port 82 of Server 192.168.1.50;
#The request from the client, if it is www.serverC.com, Squid sends a request to the port 80 of Server 192.168.1.50; #In other words: set different domain names to forward to different cache_peer, if there is no this. Different domain names may be distributed to the same server (or port of the same server).
#name=a means to give cache_peer an alias cache_peer_access a allow all
cache_peer_access b allow all
cache_peer_access c allow all
#Set access authority, allow all external clients to access a b c #If it is cache_peer_access a allow allowuser # means that only allowuser is allowed to access www.serverA.com Another example: acl user1 src 192.168.2.68/32
acl user2 src 192.168.2.94/32 #define two user IP
cache_peer 192.168.2.172 parent 80 0 no-query no-digest originserver name=www1 sourcehash
cache_peer 192.168.2.173 parent 81 0 no-query no-digest originserver name=www2 sourcehash
cache_peer_domain www1 www.domain.com
cache_peer_domain www2 www.domian.com #Indicates a request for www.domian.com, Squid sends a request to port 80 of 192.168.2.172 and port 81 of 192.168.2.173
cache_peer_access www1 allow user1
cache_peer_access www2 allow user2 #Allow user1 to access port 80 of 192.168.2.172 #Allow user2 to access port 81 of 192.168.2.173 Set the cache_peer of the parent proxy:
If you want to set the parent proxy server, such as proxy.test.edu.cn, you can configure it like this
Join under #cache_peer hostname type 3128 3130
cache_peer proxy.test.edu.cn parent 3128 3130 no-query no-netdb-exchange
If you want to set up a proxy server of the same level, such as: 192.168.1.41 192.168.1.42, you can configure it like this
cache_peer 192.168.1.41 sibling 3128 3130 proxy-only
....
Note that each unit currently implements hierarchical management of proxy servers. To set up a parent proxy server, you must also obtain the consent of the upper-level unit
Description:
(1) The definition format of the command cache_peer is:
cache_peer hostname type 3128 3130
hostname is the name of the PROXY host used to specify the buffer
type is the type of PROXY host, there are two kinds of PARENT SIBLING above
3128: HTTP_PORT
3130:ICP_PORT
(2) Additional configuration options (note that it should be lowercase when configuring)
NO-QUERY: Do not perform query operations, directly obtain data
NO-NETDB-EXCHANGE: No information exchange between proxy servers
NO-DIGEST: Do not query the summary table between proxy servers, communicate directly with ICP protocol (same-level proxy)
PROXY-ONLY: Obtain the other party’s buffer directly and transfer it to the client of the proxy server without storing it locally
ROUND-ROBIN: If several upper servers are set up, then the parent server will be queried in turn
LOGIN=USER:PASSWD: require the other party to do account and password verification, for example
cache_peer 192.168.1.41 sibling 3128 3130 login=kao:123456
For example:
The following is the configuration on the squid1 machine
icp_port 3130
acl domian dst www.domian.com
acl squid2 src xx.xx.xx.xx
acl squid3 src xx.xx.xx.xx
http_access allow squid2
http_access allow squid3
1. Configure squid2 and squid3 as neighbors. When squid1 does not find the requested resource in its cache, it will get the cache from its neighbors through ICP query
cache_peer squid2 sibling 80 3130
cache_peer squid3 sibling 80 3130
2. The three parent nodes of squid1, the originserver parameter indicates the origin server, the round-robin parameter indicates that Squid distributes the request to one of the parent nodes through polling; Squid will also check the health status of these parent nodes, if If the parent node is down, Squid will grab data from the remaining origin servers.
cache_peer 192.168.1.1 parent 8080 0 no-query originserver round-robin name=www1
cache_peer 192.168.1.2 parent 8080 0 no-query originserver round-robin name=www2
cache_peer 192.168.1.3 parent 8080 0 no-query originserver round-robin name=www3
3. The request for the www.domian.com domain is forwarded to one of the three parent nodes through RR polling.
cache_peer_domain www1 domian
cache_peer_domain www2 domian
cache_peer_domain www3 domian
4. always_direct will cause all requests to be sent directly to the origin server. Instead of querying sibling, the domain name www.domian.com does not need to go out directly, but to query sibling. For the rest of the domain names, Squid still forwards them through hosts
always_direct allow !domain
Understanding of Cache_peer
1) Cache_peer neighbors are divided into parent (parent neighbor) and sibling (child neighbor).The difference between parent and sibling is that the parent neighbor can forward the lost Cache for the child cache, but the child neighbor cannot.
2) Cache_peer controls the access of neighbors through cache_peer_access and cache_peer_domain. The difference between the two is that the former generally needs to define an ACL first and the latter directly matches the corresponding domain name.
Such as:
cache_peer 192.168.0.1 parent 3128 3130
acl AllowDomain dst www.abc.com
cache_peer_access AllowDomain 192.168.0.1
cache_peer_domain 192.168.0.1 parent .xyc.com
3) Cache_peer restricts access to neighbors through never_direct, always_direct, hierarchy_stoplist, etc.
4) The communication between Squid and the neighbor cache is generally never_direct first, always_direct determines how to forward (according to the corresponding identifier driect, never_direct is marked as direct_no, always_direct is marked as direct_yes, which means it is directly forwarded to the original server, etc. For details of direct_maybe, see Squid Chinese Authoritative Guide 10.10.1), then Squid checks whether the neighbor's digest is hit according to Squid's settings (found according to the request of ICP or HCTP), and if it hits, it is immediately placed in the forwarding list. All this also depends on cache_peer_access, cache_peer_domain. At the same time Squid checks whether the RTT detected by netdb is optimal and decides whether to choose this neighbor for forwarding.
5) The child neighbor does not forward any missed requests, but the parent neighbor can forward it.If Squid finds that the RTT (round trip time) from the parent neighbor to the original server is less than the RTT to the original server, forward the request to this parent neighbor. The RTT time needs to be detected by the Netdb option, and there are other definition options for the choice of the parent neighbor, such as: Weigh=N set the weight of the parent neighbor to give him a higher priority)
ICP/HCTP, like Cache digest and CARP, both determine whether the requested URI is hit in the neighbor. ICP sends a URL request, Squid waits for the neighbor's response, the network delay is also very large, and the false hit in the sister Cache is very prominent. No-Query, disable the ICP protocol. Cache summary is to generate summary information in the neighbor. The summary often reflects the information in the Cache. The neighbor downloads the summary in each Cache and checks whether the URL is in a certain summary when sending a URI request.
Excerpt the main configuration of two squid.conf, as follows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~
$vi etc/squid.conf
http_port 8080
cache_peer 10.10.2.53 parent 6666 7 login=username:password default no-query
cache_mem 60 MB
cache_mgr zdysgs@zju.edu.cn
dns_nameservers 10.10.0.21
visible_hostname zdysgs.zju.edu.cn
cache_dir ufs /usr/local/squid/var/cache 500 16 256
http_access allow all
never_direct allow all
error_directory /usr/local/squid/share/errors/Simplify_Chinese
cache_swap_low 80
cache_swap_high 97
#These two lines are the gate value for setting the cache to replace. When 97% of the cache is occupied, the content in the cache will be emptied by 20%
~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
The second one is found online, which is relatively brief and clear at a glance, as follows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
1. Squid secondary agent installed squid-2.5.STABLE7 on /usr/local/squid on 10.2.1.213
Configure this squid as a secondary agent, the IP of the superior agent: 10.1.1.12, port 3128
Modify squid.conf to include content similar to the following:
cache_peer 10.1.1.12 parent 3128 0 no-query ###Define parent agent 10.1.1.12, port 3128
acl all src 0.0.0.0/0.0.0.0 ###acl control list
http_access allow all
never_direct allow all ###All requests are forwarded to the superior agent
Run squid: # /usr/local/squid/squid -D
Minghui called last night and said that there was an access error. I have encountered it before. It is probably not a Squid problem. I am very depressed. On that day, the company applied for a wireless network card without money, so I could only call Han Fei to see him. While testing, I told me the situation. At first I determined that the problem was no longer in Squid, because it was 403 and the error page was not generated by Squid, so I had to remove it from lvs and wait for the company to solve it this morning.
Come to the company in the morning to check immediately, check first
1: access_log
Check the log first and find it is 403, and 403 is cached, PURGE is still 403.
2: tcpdump
It is found that the data packet does not reach the specified cache_peer, but other domain names can be accessed normally.
3: squid -k debug
Finally modify the port, open debug to find the problem
It is because a cache_peer is defined, but there is no cache_peer_[domain|access] reference. When the parent is selected, it becomes FIRST_UP_PARENT, which causes the wrong IP to be sent, and 403 is returned, and other domain names can be accessed because the IP sent to is exactly Source station.
Another machine of lvs is also normal, and the analysis log is TCP_MISS:CARP. It is a coincidence that CARP does not understand.
Reproduce the fault now.
Squid configuration-cache_peer and cache_peer_domain detailed explanation
1: Configuration environment
172.16.1.1
C:\WINDOWS\system32\drivers\etc\HOSTS
172.16.1.54 www.ming.com
172.16.1.54 xin.ming.com
172.16.1.54 abxin.ming.com
172.16.1.54
[root@54 etc]# grep "^cache_peer" /opt/app/squid3/etc/squid.conf
cache_peer 172.16.1.55 parent 80 0 no-query no-digest originserver name=ming
cache_peer 172.16.1.56 parent 80 0 no-query no-digest originserver name=ming_2
cache_peer_domain ming_2 www.ming.com
cache_peer 172.16.1.57 parent 80 0 no-query no-digest originserver name=xin
cache_peer_domain xin xin.ming.com
[root@54 etc]#
172.16.1.55 and 172.16.1.56
nginx.conf