stover'tes', chto na rabochih stanciyah propisany lokal'nye DNS servera.

Esli na brandmauere ili proksi servere rabotaet DNS server (chto yavlyaetsya horoshej ideej IMHO) pust' rabochie stancii ispol'zuyut ego.


5 Opisanie raboty

5.1 Kak posmotret' sistemnuyu statistiku raboty Squid?

V sostav distributiva Squid vhodit CGI utilita cachemgr.cgi dlya prosmotra statistiki squid cherez brauzer. Dlya bol'shej informacii obratites' k razdelu, posvyashchennomu cachemgr.cgi.

5.2 CHto ya mogu uznat' iz log fajlov?

Fajly soderzhat razlichnuyu informaciyu o zagruzke i proizvoditel'nostie Squid. V log pishutsya krome informacii o dostupe, eshche i sistemnye oshibki i informaciya o potreblenii resursov, takih, naprimer, kak pamyat' ili diskovoe prostranstvo. Nizhe opisan format log fajlov Squid:

access.log, obshchij format:

ššš Host Ident - [D/M/Yr:H:M:S TZ] "Method URL" Status Size
access.log, Squid 1.0 rodnoj format:
ššš Time Elapsed Host Status/HTTP/Hier_Status Size Method URL
access.log, Squid 1.1 rodnoj format:
ššš Time Elapsed Host Status/HTTP Size Method URL Ident Hier_Status/Hier_Host
hierarchy.log, tol'ko Squid 1.0:
ššš [D/M/Yr:H:M:S TZ] URL Hier_Status Hier_Host
Zdes' opisanie formata raznyh komponentov log:
Host
IP adresa zaprashivaemyh hostov (v versii v1.1, esli zadano mozhet byt' FQDN).
Ident
Obychno '-'. V versii 1.1 otvet Ident (RFC 931), esli zadano.
Method
GET, HEAD, POST dlya TCP zaprosov ili ICP_QUERY dlya UDP zaprosov.
URL
Zaprashivaemyj obฎekt.
Status
Rezul'tat zaprosa (TCP_HIT dlya ranee keshiruemyh obฎektov, TCP_MISS esli zaprashivaemyj obฎekt vzyat ne iz lokal'nogo kesha, UDP_HIT i UDP_MISS to zhe dlya bratskih zaprosov).
HTTP
Vozvrashchaemyj HTTP kod: 200 dlya udachnyh, 000 dlya UDP zaprosov, 403 dlya perenapravlenij, 500 dlya oshibok, i t.d.
Size
Kolichestvo bajt peredannyh klientu.
Hier_Status
Rezul'tat zaprosov k bratskim/roditel'skim kesham. Mozhet byt' PARENT_MISS, SIBLING_HIT i t.d.
Hier_Host
Host, s kotorogo vzyat obฎekt.
Time
Vremya s Jan 1, 1970 v millisekundah.
Elapsed
Zatrachennoe vremya v millisekundah.

5.3 Kakie log fajly ya mogu udalyat'?

CHtoby sohranit' log fajly, luchshe poslat' processu squid signal USR1. |to privedet k tomu, chto tekushchie log fajly budut zakryty i pereimenovany. Posle etogo mozhno udalyat' starye log fajly. Naprimer,esli Vash fajl squid.pid nahoditsya v/usr/local/squid/logs/squid.pid (kak zadano v squid.conf) nado sdelat' sleduyushchee:

kill -USR1 `cat /usr/local/squid/logs/squid.pid`

Primechanie: Stroka logfile_rotate v squid.conf delaet neobyazatel'nym ruchnoe udalenie staryh log fajlov. Prosto ustanovite znachenie logfile_rotate v zhelaemuyu velichinu. Kak tol'ko znachenie logfile_rotate budet dostignuto, staryj log budet udalen avtomaticheski. Vystavite nuzhnoe znachenie logfile_rotate i propishite v crontab posylku squid 'u signala SIGUSR1, naprimer v polnoch' kazhdogo dnya:

0 0 * * * /bin/kill -USR1 `cat /usr/local/squid/logs/squid.pid`

Edinstvennyj fajl, kotryj nel'zya udalyat' eto log, kotoryj obychno nahoditsya v pervoj cache_dir direktorii. |tot fajl soderzhiit dannye, neobhodimye dlya vosstanovleniya kesha prizapuske Squid. Udalenie etogo fajla privedet k potere kesha.

5.4 Kak mne najti samyj bol'shoj obฎekt kesha?

sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25

5.5 YA hochu perezapustit' Squid s chistym keshem

Pervyj sposob, dobavit' -z v komandnoj stroke.

Drugoj, vozmozhno bolee prostoj, udalit' fajl log iz direktorii cache_dir


6 Kesh-menedzher

[Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk>]

6.1 CHto takoe kesh-menedzher?

Kesh-menedzher (cachemgr.cgi) eto CGI utilita dlya prosmotra statistiki rabotayushchego processa squid. Kesh-menedzher eto prostoj sposob upravleniya keshem i prosmotra statistiki bez zahoda na server.

6.2 Kak ego ustanovit'?

Prezhde vsego eto zavisit ot web servera, kotoryj Vy ispol'zuete. Nizhe Vy najdete instrukcii po nastrojke CERN i Apache serverov dlya pol'zovaniya cachemgr.cgi.

Posle togo kak Vy izmenili konfiguracionnye fajly servera, nuzhno ili perezapustit' web server, libo poslat' emu SIGHUP, chtoby on pereschital fajly nastrojki.

Kogda Vy zakonchite konfigurirovat' web server, to smozhete podklyuchit'sya brauzerom k kesh-menedzheru po URL:

http://www.example.com/Squid/cgi-bin/cachemgr.cgi

6.3 Nastrojka CERN httpd 3.0 dlya raboty s kesh-menedzherom

Vo-pervyh, sleduet ubedit'sya, chto tol'ko ukazannye rabochie stancii imeyut dostup k kesh-menedzheru. Ih nado zadat' v CERN httpd.conf, a ne v squid.conf.
ššššššš Protection MGR-PROT {
šššššššššššššššš Maskššš @(workstation.example.com)
ššššššš }
Mozhno zadavat' shablonami, IP adresami, v tom chisle i cherez zapyatuyu. Vozmozhny i drugie sposoby zashchity. Obratites' k dokumentacii po serveru.

Takzhe sleduet dobavit':

ššššššš Protectšššššššš /Squid/*ššššššš MGR-PROT
ššššššš Execššššššššššš /Squid/cgi-bin/*.cgiššš /usr/local/squid/bin/*.cgi
chtoby otmetit' dlya MGR-PROT, chto skript vypolnyaemyj.

6.4 Nastrojka Apache dlya raboty s kesh-menedzherom

Snachala ubedites', chto direktoriya cgi-bin propisana v ScriptAlias v fajle srm.conf Vashego Apache, kak-to tak:
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
Ne sovetuem delat' ScriptAlias na vsyu direktoriyu /usr/local/squid/bin gde lezhat binarniki Squid.

Zatem, nado zadat' rabochie stancii imeyushchie dostup k kesh-menedzheru. |to zadaetsya v fajle access.conf Apache, a ne v squid.conf. V konce access.conf, vstav'te:

ššššššš <Location /Squid/cgi-bin/cachemgr.cgi>
ššššššš order deny,allow
ššššššš deny from all
ššššššš allow from workstation.example.com
ššššššš </Location>
Mozhno vpisat' neskol'ko strok, mozhno dobavit' domeny ili seti.

Takzhe, cachemgr.cgi mozhet byt' zashchishchen parolem. Nado dobavit' sleduyushchie stroki v access.conf:

ššššššš <Location /Squid/cgi-bin/cachemgr.cgi>
ššššššš AuthUserFile /path/to/password/file
ššššššš AuthGroupFile /dev/null
ššššššš AuthName User/Password Required
ššššššš AuthType Basic
ššššššš <Limit GET>
ššššššš require user cachemanager
ššššššš </Location>
V dokumentacii Apache Vy najdete informaciyu ob ispol'zovanii htpasswd dlya zadaniya parolya.

6.5 Zadanie ACL (spiska pol'zovatelej) dlya kesh-menedzhera v squid.conf

Po umolchaniyu dostup k kesh-menedzheru zadan v squid.conf tak:
ššššššš acl manager proto cache_object
ššššššš acl localhost src 127.0.0.1/255.255.255.255
ššššššš acl all src 0.0.0.0/0.0.0.0
So sleduyushchimi pravami:
ššššššš http_access deny manager !localhost
ššššššš http_access allow all
Pervaya zapis' v ACL nuzhna dlya kesh-menedzhera, tak kak on dlya oprosa squid ispol'zuet special'nyj cache_object protokol. Mozhete sami poprobovat':

telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0

Po umolchaniyu, esli zapros dlya cache_object, i zapros ne s lokal'noj mashiny, to dostup budet zakryt, v protivnom sluchae - otkryt.

Fakticheski, tak kak dostup razreshen tol'ko s lokal'noj mashiny, to v pole cachemgr.cgi mozhno ukazat' v kachestve kesh hosta localhost. My rekomenduem sleduyushchee:

ššššššš acl manager proto cache_object
ššššššš acl localhost src 127.0.0.1/255.255.255.255
ššššššš acl example src 123.123.123.123/255.255.255.255
ššššššš acl all src 0.0.0.0/0.0.0.0
Gde 123.123.123.123 eto IP adres Vashego web servera. Zatem izmenite pravila tak:
ššššššš http_access deny manager !localhost !example
ššššššš http_access allow all
Po umolchaniyu podrazumevaetsya, chto web server nahoditsya na toj zhe mashine, chto i squid. Uchtite, chto obrashchenie kesh-menedzhera k squid proishodit cherez web server, a ne brauzer. Tak chto, esli Vash web server nahoditsya gde-to v drugom meste, IP adres web servera, na kotorom ustanovlen cachemgr.cgi dolzhen byt' ukazan vmesto example v vysheprivedennom primere.

Ne zabyvajte kazhdyj raz posle izmeneniya squid.conf posylat' SIGHUP squid'u.

6.6 Pochemu on sprashivaet u menya kakoj-to parol' i URL?

Esli Vy posmotrite v vypadayushchem spiske, to uvidite, chto parol' nuzhen tol'ko dlya ostanovki kesha, a URL nuzhen dlya obnovleniya obฎekta (to est', povtornogo polucheniya ego s ishodnogo servera). Dlya polucheniya informacii ot cachemgr.cgi parol' ne trebuetsya.

6.7 YA hochu udalenno ostanovit' kesh. Kakoj parol'?

V squid.conf est' direktiva cachemgr_passwd.

6.8 Kak sdelat', chtoby v pole cache host po umolchaniyu bylo imya moego kesha?

Najdite v fajle Makefile.in sleduyushchuyu stroku:
ššššššš HOST_OPTššššššš = # -DCACHEMGR_HOSTNAME="getfullhostname()"
Esli web server s cachemgr.cgi zapushchen na toj zhe mashine, chto i Squid prosto uberite #. Esli zhe web server kakoj-to drugoj, to:
ššššššš HOST_OPTššššššš = -DCACHEMGR_HOSTNAME=\"mycache.example.com\"
Posle etih izmenenij sleduet perekompilirovat' i pereustanovit' cachemgr.cgi.

6.9 Kakaya raznica mezhdu TCP i UDP soedineniyami Squid?

Brauzery i keshi ispol'zuyut TCP soedineniya dlya polucheniya obฎektov s web serverov ili keshej. UDP soedineniya ispol'zuyutsya kogda drugoj kesh ispol'zuet Vash v kachestve bratskogo ili roditel'skogo na predmet nalichiya nuzhnogo obฎekta. UDP soedineniya eto ICP zaprosy.

6.10 On govorit, chto srok hraneniya kesha istechet v 1970 godu!

Ne volnujtes'. Obychnoe (i v obshchem-to razumnoe) povedenie squid eto perezapisyvat' obฎekty, srok hraneniya kotoryh istek.

6.11 CHto znachat zapisi meta-dannyh?

StoreEntry
Zapis' opisyvaet obฎekt kesha.
IPCacheEntry
Zapis' v keshe DNS.
Hash link
Zveno v strukture hesh-tablicy.
URL strings
Sami stroki URL, ukazyvayushchie na nomer obฎekta v keshe, pozvolyayushchie obrashchat'sya k StoreEntry.
V osnovnom pohozhe na log fajl v direktorii cache:
PoolMemObject structures
Informaciya ob obฎektah nahodyashchihsya v pamyati, (naprimer, v processe peredachi).
Pool for Request structures
Informaciya o kazhdom zaprose.
Pool for in-memory object
Prostranstvo dlya prinyatyh obฎektov.

6.12 Pool for in-memory object ogromen i ne stanovitsya men'she! |to chto utechka pamyati?

Net. |tot pul tol'ko uvelichivaetsya. On raven samomu bol'shomu obฎektu kogda libo keshiruemomu squid . Esli Vy ne hotite, chtoby on byl takogo razmera, umen'shite znachenie cache_mem i razmer obฎektov dlya gopher, http i ftp v squid.conf.

6.13 Znachenie polya "Total accounted" ne sovpadaet s razmerom zanimaemym moim squid!

Esli eto znachenie blizko k upomyanotumu, ne volnujtes'. Esli squid zanimaet namnogo bol'she, vozmozhno eto utechka pamyati, i vse chto mozhno delat' eto zhdat' novyh patchej i vremya ot vremeni perezapuskat' squid.

Esli squid zanimaet gorazdo men'she, chem v etom pole, bud'te ostorozhny! CHto-to ne tak, sleduet perezapustit' squid.

6.14 V razdele utilization, chto est' Other?

Other eto kategoriya, v katoruyu popadayut obฎekty ne popavshie ni v kakuyu druguyu.

6.15 V razdele utilization, pochemu kolonka Transfer KB/sec vsegda nulevaya?

|ta kolonka soderzhit gruboe priblizhenie otnosheniya peredannyh dannyh k polnomu vremeni raboty kesha. |ti dannye nenadezhnye i prakticheski bespoleznye.

6.16 V razdele utilization, chto znachit Object Count?

CHislo obฎektov dannogo tipa, nahodyashchihsya v dannyj moment v keshe.

6.17 V razdele utilization, chto znachit Max/Current/Min KB?

|to otnositsya k uvelichivaemomu/tekushchemu/umen'shaemomu razmeru vseh obฎektov etogo tipa.

6.18 O chem razdel I/O?

|to gistogrammy chisla bajt vzyatyh iz seti vyzovom read(2). Dovol'no polezny dlya opredeleniya maksimal'nogo razmera buferov.

6.19 CHto nahoditsya v razdele Objects?

Preduprezhdenie: v etom razdele Vash brauzer poluchit spisok vseh URL kesha i statistiku o nih. On mozhet byt' ochen', ochen' bol'shim. Inogda on mozhet byt' bol'she, chem dostupnaya Vashemu klientu pamyat'! Veroyatno Vam eta informaciya nikogda ne ponadobitsya.

6.20 Dlya chego razdel VM Objects?

VM Objects eto obฎekty nahodyashchiesya v virtual'noj pamyati. |ti obฎekty uzhe skacheny i nahodyatsya v pamyati dlya bystrogo dostupa k nim.

6.21 CHto znachit AVG RTT?

Average Round Trip Time. Pokazyvaet srednee vremya, proshedshee ot posylki ICP ping do prihoda otveta.

6.22 V razdele IP cache , kakaya raznica mezhdu hit, negative hit i miss?

HIT znachit, chto dokument najden v keshe. MISS, chto ne najden. Negative hit oznachaet, chto on nahodilsya v keshe, no ne sushchestvuet.

6.23 CHto znachit soderzhimoe razdela IP cache?

Hostname eto imya, kotoroe sleduet preobrazovat'.

Dlya kolonki Flags:

C
Keshirovan.
N
Ne keshirovan.
P
Zapros otlozhen dlya posylki.
D
Zapros poslan i ozhidaetsya otvet.
L
Zapis' blokirovana, potomu chto vystupaet v roli roditelya ili brata.
V kolonke TTL predstavleny "Time To Live" (to est', kak dolgo zapis' v keshe dejstvitel'na). (Mozhet byt' otricatel'nym, esli srok hraneniya dokumenta istek.)

Kolonka N eto chislo IP adresov, kotorye imeet dannyj hostname.

V konce stroki perechisleny ostal'nye IP adresa, otnosyashchiesya k etoj zapisi v IP cache.

6.24 Kak analizirovat' ispol'zovanie pamyati iz dannyh cachemgr.cgi?

Vzglyanite na stranicu Cache Information Vashego cachemgr.cgi. Naprimer:
ššššššš Memory usage for squid via mallinfo():
šššššššššššššš Total space in arena:šš 94687 KB
šššššššššššššš Ordinary blocks:ššššššš 32019 KB 210034 blks
šššššššššššššš Small blocks:šššššššššš 44364 KB 569500 blks
šššššššššššššš Holding blocks:šššššššššššš 0 KBšš 5695 blks
šššššššššššššš Free Small blocks:šššššš 6650 KB
šššššššššššššš Free Ordinary blocks:šš 11652 KB
šššššššššššššš Total in use:šššššššššš 76384 KB 81%
šššššššššššššš Total free:šššššššššššš 18302 KB 19%


ššššššš Meta Data:
ššššššš StoreEntryššššššššššššššš 246043 x 64 bytes =š 15377 KB
ššššššš IPCacheEntryššššššššššššš 971 xšš 88 bytesš =šššš 83 KB
ššššššš Hash linkšššššššššššššššš 2 xšš 24 bytesššš =ššššš 0 KB
ššššššš URL stringsšššššššššššššššššššššššššššššššš =š 11422 KB
ššššššš Pool MemObject structures 514 xš 144 bytesš =šššš 72 KB (ššš 70 free)
ššššššš Pool for Request structur 516 x 4380 bytesš =šš 2207 KB (š 2121 free)
ššššššš Pool for in-memory object 6200 x 4096 bytes =š 24800 KB ( 22888 free)
ššššššš Pool for disk I/Ošššššššš 242 x 8192 bytes =šš 1936 KB (š 1888 free)
ššššššš Miscellaneousššššššššššššššššššššššššššššš =šš 2600 KB
ššššššš total Accountedššššššššššššššššššššššššššš =š 58499 KB
V pervoj stroke mallinfo() soobshchaet, chto ispol'zuetsyar 94M. |to znachenie blizko k tomu, chto pokazyvaet top (97M).

Iz etih 94M, 81% (76M) real'no ispol'zuetsya v etot moment. Ostal'noe vysvobozhdeno, ili zarezervirovano malloc(3) i poka ne ispol'zuetsya.

Iz 76M ispol'zuemyh, mozhno rasschityvat' na 58.5M (76%). Ostal'noe otvedeno pod vyzovy malloc(3).

Spisok Meta Data soderzhit informaciyu o tom, kuda potrachena dostupnaya pamyat'. 45% ushlo na StoreEntry i hranenie URL strok. Drugie 42% potracheny na hranenie obฎektov v virtual'noj pamyati, poka oni dostavlyayutsya klientam (Pool for in-memory object).

Razmery pula zadayutsya v squid.conf. V versii 1.0, oni neskol'ko tupovatye: tam hranitsya stek neispol'zovannyh stranic, vmesto togo chtoby osvobozhdat' etot blok. V Pool for in-memory object, razmer etogo steka sostavlyaet 1/2 cache_mem. Razmer Pool for disk I/O zhestko zadan v 200. Dlya MemObject i Request eto 1/8 velichiny FD_SETSIZE.

Esli Vam nuzhno snizit' kolichestvo pamyati processa, my rekomenduem umen'shit' maksimal'nye razmery obฎektov v strokah 'http', 'ftp' i 'gopher' konfiguracii. Takzhe mozhno umen'shit' cache_mem. No esli sdelat' cache_mem slishkom malen'kim, to nekotorye obฎekty mogut ne sohranyat'sya na disk pri bol'shoj zagruzke. Novye versii Squid pozvolyayut zadat' memory_pools off otklyuchaya takim obrazom pul svobodnoj pamyati.

6.25 CHto takoe fqdncache i chem otlichaetsya ot ipcache?

IPCache soderzhit dannye o preobrazovanii Hostname v IP-Number, a FQDNCache soderzhit obratnye dannye.

Naprimer:

==============================================================================



IP Cache Contents:
šHostnameššššššššššššššššššššš Flags lstrefššš TTLš N [IP-Number]
šgorn.cc.fh-lippe.dešššššššššššššš Cšššššš 0š 21581 1 193.16.112.73
šlagrange.uni-paderborn.dešššššššš Cšššššš 6š 21594 1 131.234.128.245
šwww.altavista.digital.comšššššššš Cššššš 10š 21299 4 204.123.2.75š 204.74.103.37ššš 204.123.2.66ššš 204.123.2.69
š2/ftp.symantec.comššššššššššššššš DLšš 1583 -772855 0šš



Flags:š C --> V keshe
ššššššš D --> Otpravlen
ššššššš N --> Ne keshirovan
ššššššš L --> Blokirovan

lstref: Vremya s momenta poslednego ispol'zovaniya
šš TTL: Time-To-Live (vremya zhizni) poka ne istechet srok hraneniya informacii
šššš N: CHislo adresov



==============================================================================



FQDN Cache Contents:

šIP-Numberššššššššššššššššššš Flags TTL(?) N Hostname]š

š130.149.17.15ššššššššššššššššššš C -45570 1 andele.cs.tu-berlin.de
š194.77.122.18ššššššššššššššššššš C -58133 1 komet.teuto.de
š206.155.117.51šššššššššššššššššš N -73747 0

šFlags: C --> V keshe
ššššššš D --> Otpravlen
ššššššš N --> Ne keshirovan
ššššššš L --> Blokirovan
šš TTL: Time-To-Live
šššš N: CHislo imen

7 Troubleshooting

7.1 Pochemu u menya net dostupa k proksi: "Proxy Access Denied"?

Esli squid rabotaet v rezhime httpd-uskoritelya, to vse HTTP zaprosy on perenapravlyaet na HTTP server, no ne rabotaet kak proksi. Esli Vy hotite, chtoby Vash kesh takzhe otrabatyval proksi-HTTP zaprosy, nado sdelat' sleduyushchee:

http_accel_with_proxy on

Takzhe, vozmozhno Vy nepravil'no zadali ACL. Prover'te fajly access.log i squid.conf.

7.2 Ne rabotaet local_domain.

Squid keshiruet obฎekty iz lokal'nogo domena.

Direktiva local_domain ne zapreshchaet keshirovat' lokal'nye obฎekty. Ona predotvrashchaet ispol'zovanie bratskih keshej dlya lokal'nyh obฎektov. Esli Vam vse taki eto nuzhno, to vospol'zujtes' opciyami cache_stoplist ili http_stop (v zavisimosti ot versii).

7.3 Kogda kesh pytaetsya poluchit' obฎekt s bratskogo kesha, poluchaet Connection Refused, dazhe kogda tot kesh schitaet, chto obฎekt poluchen uspeshno.

Esli ICP port vernyj, a HTTP port-net, to ICP zaprosy budut posylat'sya normal'no, a ICP otvety zastavyat kesh dumat', chto vse v poryadke, no sami obฎekty budut propadat'. Esli bratskij kesh izmeniit svoj http_port, to u Vas budut te zhe problemy nekotoroe vremya do uvedomleniya.

7.4 Ne hvataet fajlovyh deskriptorov

|to byvaet, kogda poyavlyaetsya soobshchenie Too many open files. Vozmozhno iz-za operacionnoj sistemy s nizkim chislom fajlovyh deskriptorov. |tot predel obychno mozhno zadat' v yadre ili pri pomoshchi drugih sredstv. Sushchestvuet dva puti ischerpat' limit fajlovyh deskriptorov: pervyj, eto limit na kazhdyj process, vtoroj - na obshchee chislo deskriptorov na vse processy.

Dlya Linux, est' patch filehandle.patch.linux ot Michael O'Reilly <michael@metal.iinet.net.au>.

Dlya Solaris, dobav'te sleduyushchee v fajl /etc/system:

set rlim_fd_max = 4096
set rlim_fd_cur = 1024

Takzhe sleduet zadat' #define SQUID_FD_SETSIZE v include/config.h v to zhe znachenie, chto i rlim_fd_max. Ne sleduet zadavat' men'she 4096.

Solaris select(2) pozvolyaet zadat' tol'ko 1024 deskriptora, esli nado bol'she otredaktirujte src/Makefile i razreshite $(USE_POLL_OPT). Potom peresoberite squid.

Dlya FreeBSD (ot Torsten Sturm <torsten.sturm@axis.de>):

Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
Po komande sysctl -a znachenie kern.maxfilesperproc.
Kak ih uvelichit'?
sysctl -w kern.maxfiles=XXXX

sysctl -w kern.maxfilesperproc=XXXX
Vnimanie: Uvelichivaya znacheniya, uchityvajte sootnoshenie maxfiles > maxfilesperproc.
Kakoj verhnij predel?
YA ne dumayu, chto est' formal'noe ogranichenie vnutri yadra. Ved' struktury pod dannye vydelyayutsya dinamicheski. Na praktike zhe, mogut voznikat' neponyatnye yavleniya (naprimer, yadro budet tratit' slishkom mnogo vremeni na poisk v tablicah).
Dlya bol'shinstva BSD-sistem (SunOS, 4.4BSD, OpenBSD, FreeBSD, NetBSD, BSD/OS, 386BSD, Ultrix) mozhno reshit' zadachu "v lob" (trebuetsya peresborka yadra):
Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
Po komande pstat -T znachenie files, obychno otobrazhaemoe kak otnoshenie current/maximum.
Kak uvelichit' eto znachenie?
Pervyj metod - uvelichit' znachenie peremennoj maxusers v konfiguracii yadra i peresobrat' ego. |to ochen' bystryj i prostoj metod, no privodit k uvelicheniyu ryada drugih peremennyh, menyat' kotorye Vam mozhet i ne nado.
A sushchestvuet bolee tochnyj sposob?
Najti fajl param.c v ishodnikah yadra i izmenit' sootnoshenie mezhdu maxusers i maksimal'nym chislom otkrytyh fajlov po nizheprivedennym vyrazheniyam.
Vot neskol'ko primerov:
SunOS
Izmenite znachenie nfile v /usr/kvm/sys/conf.common/param.c menyaya znacheniya v etom vyrazhenii:

int nfile = 16 * (NPROC + 16 + MAXUSERS) / 10 + 64;
Gde NPROC opredelyaetsya kak:
#define NPROC (10 + 16 * MAXUSERS)
FreeBSD (nachinaya s yadra 2.1.6)
Ochen' pohozhe na SunOS, otredaktirujte /usr/src/sys/conf/param.c vychisliv sootnoshenie mezhdu peremennymi maxusers, maxfiles i maxfilesperproc:

int maxfiles = NPROC*2;
int maxfilesperproc = NPROC*2;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Ogranichenie chisla deskriptorov na process takzhe mozhet byt' zadano v konfiguracii yadra etoj direktivoj:
options OPEN_MAX=128
BSD/OS (nachinaya s yadra 2.1)
Poprav'te /usr/src/sys/conf/param.c i zadajte maxfiles v sootvetstvii s:

int maxfiles = 3 * (NPROC + MAXUSERS) + 80;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Takzhe sleduet zadat' znachenie OPEN_MAX, chtoby izmenit' ogranichenie chisla deskriptorov na process.
Zamechanie: Posle peresborki yadra neobhodimo otkompilirovat' zanovo Squid. Konfiguracionnyj skript Squid'a opredelyaet skol'ko fajlovyh deskriptorov dostupno, tak chto nado zapustit' skript zanovo. Naprimer:
ššš cd squid-1.1.x
ššš make realclean
ššš ./configure --prefix=/usr/local/squid
ššš make

7.5 Moj squid periodicheski vyvalivaetsya s oshibkoj, chto ne mozhet malloc(3) bol'she pamyati, no u menya dostatochno OZU!

Krome ogranicheniya na chislo fajlovyh deskriptorov, mnogie sistemy imeyut ogranichenie na kolichestvo pamyati, vydelyaemoe processu, v osobennosti ne-root processam. BSD/OS imeet dovol'no nizkij predel, kotoryj Vy mozhete uvelichit'. Izmenite fajl konfiguracii yadra, dobaviv eti stroki:
optionsšššššššš DFLDSIZ=67108864ššššššš # 64 meg default max data size (was 16)
optionsšššššššš MAXDSIZ=134217728šššššš # 128 meg max data size (was 64)
Peresoberite yadro i perezagruzite mashinu.š

V Digital UNIX, otredaktirujte fajl /etc/sysconfigtab i dobav'te stroku...

proc:
ššššššš per-proc-data-size=1073741824
Ili, v csh, ispol'zuya komandu limit ...
zpoprp.zpo.dec.com> limit datasize 1024M

Redaktirovanie /etc/sysconfigtab trebuet perezagruzki, a komanda limit - net.

7.6 CHto za strannye stroki ob udalenii obฎektov?

Naprimer:
97/01/23 22:31:10| Removed 1 of 9 objects from bucket 3913
97/01/23 22:33:10| Removed 1 of 5 objects from bucket 4315
97/01/23 22:35:40| Removed 1 of 14 objects from bucket 6391
Obychnye stroki log fajla, no oni ne znachat, chto squid dostig cache_swap_high.

Na stranice cache information vcachemgr.cgi najdite stroku tipa etoj:

šššššš Storage LRU Expiration Age:šššš 364.01 days
Obฎekty, kotorye ne ispol'zovalis' dannoe kolichestvo vremeni, udalyayutsya kak rezul'tat regulyarnyh rabot. Vy mozhete zadat' sobstvennoe znachenie LRU Expiration Age pri pomoshchi reference_age v konfiguracionnom fajle.

7.7 Pochemu ya ne mogu zadat' cache_effective_user v nobody pod Linux?

Neskol'ko pol'zovatelej soobshchali, chto oni ne mogut zadat' cache_effective_user v nobody pod Linux i server soobshchaet:
FATAL: Don't run Squid as root, set 'cache_effective_user'!
Odnako, esli ustanovit' cache_effective_user ne v nobody, to vse OK. Pervoe reshenie, eto sozdat' pol'zovatelya dlya Squid i ustanovit' dlya nego cache_effective_user.

Takzhe mozhno pomenyat' UID nobody s 65535 na 65534.

7.8 Mogu ya ukazat' Windows NT FTP serveru vyvodit' direktorii v Unix formate?

Pochemu by i net! Vyberite sleduyushchie punkty menyu: Dvazhdy shchelknite na ftp.

Dal'she nado vybrat' server (dolzhen byt' tol'ko odin), potom vyberite "Properties" iz menyu, zakladku "directories", budet opciya "Directory listing style." Vyberite "Unix" type, a ne "MS-DOS" type.

--Oskar Pearson <oskar@is.co.za>

7.9 Pochemu tak chasto poyavlyayutsya soobshcheniya ERR_NO_CLIENTS_BIG_OBJ?

|to znachit, chto zaprashivaemyj obฎekt nahodilsya v rezhime "Udalit' pozzhe" i pol'zovatel' otkazalsya ot peredachi. Obฎekt popadet v rezhim "Udalit' pozzhe" esli on:
  1. bol'she, chem maximum_object_size
  2. dostavlen s sosednego kesha, u kotorogo ustanovlena opciya proxy-only.

7.10 Pochemu Squid trebuet tak mnogo pamyati!?

Squid potomu takoj bystryj i mozhet obrabatyvat' odnovremenno neskol'ko zaprosov, chto ispol'zuet mnogo pamyati. Dlya nachala, prosmotrite eti razdely FAQ: Takzhe mozhno povysit' proizvoditel'nost' linkuya Squid s vneshnej malloc bibliotekoj. My rekomenduem:

7.11 Pochemu ya poluchayu "Ignoring MISS from non-peer x.x.x.x"?

Vy poluchaete ICP MISS (cherez UDP) s roditel'skogo ili bratskogo kesha, chej IP adres Vashemu keshu ne izvesten. |to mozhet byt' v dvuh sluchayah.

(1) Esli na tom konce neskol'ko interfejsov i pakety idut s togo, kotoryj ne propisan v DNS. Voobshche-to, eto ih problema. Vy mozhete skazat' im ili propisat' IP adres interfejsa v DNS, ili ispol'zovat' opciyu Squid 'udp_outgoing_address'.

Naprimer:

# (squid.conf roditel'skogo kesha)
#
udp_outgoing_address proxy.parent.com


# (Vash squid.conf)
#
cache_host proxy.parent.com parent 3128 3130
(2) Takzhe eto soobshchenie budet poyavlyat'sya pri posylke ICP zaprosov na neskol'ko adresov. Dlya obespecheniya bezopasnosti, Squid trebuet zadaniya v konfiguracii spiska drugih keshej, slushayushchih gruppu adresov. Esli neizvestnyj kesh slushaet etot adres i shlet otvety, vash kesh budet pisat' v log eti soobshcheniya. CHtoby ispravit' nado, libo skazat' etomu keshu perestat' slushat' adresa, ili, esli on zakonnyj, dobav'te ego v fajl konfiguracii.š

8 Kak Squid rabotaet?

8.1 Kakie obฎekty keshiruyutsya?

Obฎekty Internet takie kak fajl, dokument, ili otvet na zapros sleduyushchih servisov: FTP, HTTP, ili gopher. Klient zaprashivaet obฎekt Internet s keshiruyushchego proksi, proksi server poluchaet obฎekt (libo s hosta, ukazannogo v URL, libo s roditel'skogo ili bratskogo kesha), perepravlyaya ego klientu.

8.2 CHto za protokol ICP?

ICP eto protokol ispol'zuemyj dlya obshcheniya keshej squid. ICP protokol opisan v Internet Cache Protocol, 2 proekte dokumenta, nahodyashchemsya po adresu http://www.nlanr.net/Cache/ICP/ICP-id.txt.

ICP prezhde vsego ispol'zuetsya v ierarhii keshej dlya poiska opredelennyh obฎektov v bratskih keshah. Esli squid ne nahodit nuzhnogo dokumenta, to posylaet ICP zapros bratskim kesham, kotorye v svoyu ochered' otvechayut ICP otvetami "HIT" ("popadanie") ili "MISS" ("promah"). Zatem kesh ispol'zuet otvety dlya vybora pri pomoshchi kakogo kesha razreshat' svoi otvety MISS.

ICP takzhe podderzhivaet slozhnye peredachi mnozhestva obฎektov cherez odno TCP soedinenie. ICP sejchas rabotaet poverh UDP. Tekushchie versii Squid takzhe podderzhivayut mnozhestvennye zaprosy ICP.

8.3 CHto takoe dnsserver?

Dnsserver eto process iniciiruemyj squid dlya preobrazovaniya domennyh imen v IP adresa. Neobhodimost' voznikaet iz-za togo, chto funkciya gethostbyname(3) blokiruet vyzyvayushchij process do zazresheniya DNS zaprosa.

U Squid ne dolzhen blokirovat'sya process vvoda/vyvoda, poetomu DNS obrashcheniya vypolneny kak vneshnij k osnovnomu process. Processy dnsserver ne keshiruyut zaprosy DNS, eto delaetsya samim squid`om.

8.4 Dlya chego nuzhna programmftpget?

Programma ftpget eto FTP klient, ispol'zuyushchijsya dlya skachivaniya fajlov s FTP serverov. Iz-za togo, chto FTP protokol neprostoj, proshche vypolnit' ego otdel'no ot osnovnogo koda squid.

8.5 FTP PUT ne rabotaet

Pohozhe,chto FTP put ne rabotaet cherez squid. Mozhno li kak-nibud' eto ispravit' i/ili vedetsya li kakaya-nibud' rabota v etom napravlenii.

Na dannyj moment net, dlya podderzhki etogo nuzhna budet programma ftpput.

8.6 CHto takoe ierarhiya keshej? CHto takoe roditel'skie i bratskie keshi?

Ierarhiya keshej eto struktura keshiruyushchih proksi-serverov raspolozhennyh logicheski kak roditel'skij/dochernij i bratskij uzly, takim obrazom, chto keshi blizhajshie k kanalu v Internet yavlyayutsya roditelyami tem, kotorye nahodyatsya dal'she ot tochki vhoda v Internet. Roditel'skie keshi obrabatyvayut "promahi" dochernih. Inache govorya, kogda kesh zaprashivaet obฎekt s roditelya, i u togo v keshe ego ne okazyvaetsya, roditel'skij kesh skachivaet obฎekt, keshiruet ego, i peredaet dochernemu. Takim obrazom, pri pomoshchi ierarhii dostigaetsya maksimal'naya razgruzka kanala, snizhaetsya ispol'zovanie vneshnih serverov Internet i poluchaetsya bol'shee chislo "popadanij" dochernih keshej, po sravneniyu s roditel'skimi, za schet bol'shego kesha poslednih.

Krome roditel'skih/dochernih otnoshenij, squid podderzhivaet ponyatie bratskih keshej, to est' nahodyashchihsya na odnom urovne ierarhii, prizvannyh raspredelit' nagruzku. Kazhdyj kesh v ierarhii nezavisimo ni ot kogo reshaet otkuda brat' obฎekt, libo s servera v Internet, libo s roditel'skogo ili bratskogo kesha, ispol'zuya prostoj mehanizm razresheniya. Bratskie keshi ne budut zabirat' obฎekt dlya drugogo kesha togo zhe urovnya, poluchiv ot nih "promah".

8.7 Kakov algoritm razresheniya kesha Squid?

  1. Razoslat' ICP zaprosy vsem sootvetstvuyushchim bratskim kesham
  2. Dozhdat'sya vseh otvetov, prishedshih v techenie zadannogo vremeni (po umolchaniyu dve sekundy).
  3. Poluchiv pervyj otvet HIT nachat' skachivanie obฎekta , ili
  4. Vzyat' obฎekt s pervogo roditel'skogo kesha, otvetivshego MISS (zavisit ot vesovyh koefficientov), ili
  5. Zabrat' obฎekt iz Internet
Algoritm stanovitsya otchasti bolee slozhnym pri vklyuchenii v shemu brandmauera.

Direktiva single_parent_bypass predotvrashchaet rassylku ICP zaprosov, v sluchae kogda sootvetstvuyushchij bratskij kesh eto roditel'skij (to est', esli bol'she neotkuda brat' obฎekt, zachem naprasno zaprashivat'?)

8.8 Nad kakimi vozmozhnostyami Squid razrabotchiki sejchas rabotayut?

Est' neskol'ko otkrytyh proektov kasayushchihsya luchshego avtomaticheskogo vyravnivaniya nagruzki, takzhe (dinamicheskogo i staticheskogo) vybora roditel'skih keshej, routinga, mnozhestvennyh kesh-kesh obrashchenij i luchshego raspoznavaniya URL, kotorye ne nado keshirovat'.

Tekushchij spisok budushchih vozmozhnostej, dostupen zdes' http://squid.nlanr.net/Squid/Devel/todo.html.

Razrabotchikam budushchih versij sleduet obratit'sya syuda http://squid.nlanr.net/Squid/Devel/.

8.9 Gde najti informaciyu o zagruzke Internet trafika

Zagruzku mozhno oharakterizovat' kak tyazhest' vozlagaemaya pol'zovatelem ili gruppoj pol'zovatelej na sistemu. Ponimanie prirody zagruzki ochen' vazhno pri upravlenii proizvoditel'nost'yu sistemy. Esli Vy interesuetes' zagruzkoj Internet trafika, to dlya nachala shodite syuda http://www.nlanr.net/NA/.

8.10 Kakie preimushchestva keshirovaniya sovmestno s keshiruyushchej sistemoj NLANR?

Preimushchestva ierarhicheskogo keshirovaniya zaklyuchayutsya v snizhenii zagruzki kanala, umen'shenii vremeni dostupa, luchshej ustojchivosti k sboyam. Keshi verhnego urovnya obsluzhivayut zaprosy nizhestoyashchih..Esli srednij procent popadaniya kraevogo kesha 50%, polovina vseh ssylok kraevyh keshej dolzhna obrabatyvat'sya cherez kesh vtorogo urovnya, nezheli napryamuyu s ishodnogo hosta. Esli etot kesh vtorogo urovnya soderzhit bol'shinstvo zaprashivaemyh dokumentov, to vyigrysh dostigaetsya, no esli kesh verhnego urovnya chashche vsego ne imeet nuzhnyj dokument, ili peregruzhen, to vremya dostupa vmesto snizheniya uvelichivaetsya.

8.11 Gde najti informaciyu po brandmaueram?

Smotrite spisok rassylki i FAQ zdes' http://www.greatcircle.com/firewalls/š
$Id: footer,v 1.3 1997/03/13 16:19:52 wessels Exp $