delay pool not workin

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

delay pool not workin

Alex Gutiérrez Martínez

Could someone be so kind  to explain to me why my rules do not work on my delays pools?


i got this acl "lento", in spanish means slow

acl lento url_regex -i "/etc/squid3/bloqueo/lento"

his format is the next:


.youtube.com

.facebook.com


My delay config is the next:


###############################################################################
#Delay#
###############################################################################
delay_pools 3

#Canal 1 extensiones.
delay_class 1 2
delay_parameters 1 32768/32768 32768/32768
delay_access 1 deny !sociales lento navegacion !extensiones
#delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 2
delay_parameters 2 65536/65536 32768/32768
delay_access 2 deny !navegacion extensiones lento sociales
#delay_access 2 deny all

#Canal 2 para usuarios.
delay_class 3 1
delay_parameters 3 16384/16384
delay_access 3 deny extensiones navegacion sociales !lento
#delay_access 2 deny all



my problem is simple, on my sqstat show the url's of "lento" with 0 on delay parameter, i do not understand why it happens. the program should show 3


thanks in advance

-- 
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Amos Jeffries
Administrator
On 22/09/17 09:07, Alex Gutiérrez Martínez wrote:

> Could someone be so kind  to explain to me why my rules do not work on
> my delays pools?
>
>
> i got this acl "lento", in spanish means slow
>
> acl lento url_regex -i "/etc/squid3/bloqueo/lento"
>
> his format is the next:
>
>
> .youtube.com
>
> .facebook.com
>

First problem: you are putting domains in dstdomain format into a
full-URL regex ACL.

Use dstdomain ACL type for these. Much faster.


>
> My delay config is the next:
>
>
> ###############################################################################
> #Delay#
> ###############################################################################
> delay_pools 3
>
> #Canal 1 extensiones.
> delay_class 1 2
> delay_parameters 1 32768/32768 32768/32768
> delay_access 1 deny !sociales lento navegacion !extensiones
> #delay_access 1 deny all
>
> #Canal 2 para usuarios.
> delay_class 2 2
> delay_parameters 2 65536/65536 32768/32768
> delay_access 2 deny !navegacion extensiones lento sociales
> #delay_access 2 deny all
>
> #Canal 2 para usuarios.
> delay_class 3 1
> delay_parameters 3 16384/16384
> delay_access 3 deny extensiones navegacion sociales !lento
> #delay_access 2 deny all
>
>

Second problem: deny, deny all. Nothing allowed to use these pools.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Alex Gutiérrez Martínez
In reply to this post by Alex Gutiérrez Martínez
Could someone be so kind  to explain to me why my rules do not work on 
my delays pools?


i got this acl "lento", in spanish means slow

acl lento url_regex -i "/etc/squid3/bloqueo/lento"

his format is the next:


.youtube.com

.facebook.com

First problem: you are putting domains in dstdomain format into a 
full-URL regex ACL.

Use dstdomain ACL type for these. Much faster.


My delay config is the next:


###############################################################################
#Delay#
###############################################################################
delay_pools 3

#Canal 1 extensiones.
delay_class 1 2
delay_parameters 1 32768/32768 32768/32768
delay_access 1 deny !sociales lento navegacion !extensiones
#delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 2
delay_parameters 2 65536/65536 32768/32768
delay_access 2 deny !navegacion extensiones lento sociales
#delay_access 2 deny all

#Canal 2 para usuarios.
delay_class 3 1
delay_parameters 3 16384/16384
delay_access 3 deny extensiones navegacion sociales !lento
#delay_access 2 deny all


Second problem: deny, deny all. Nothing allowed to use these pools.


Amos

############################################################################################################################

Thanks again Mr. Jeffries, i change my delay to:

acl navegación src 192.168.9.0/24

acl lento dstdomain "/etc/squid3/bloqueo/lento"   -->     .youtube.com

acl sociales dstdomain "/etc/squid3/bloqueo/sociales"  --> .linkedin.com

acl correos dstdomain "/etc/squid3/bloqueo/correos" -->.mail.yahoo.com

acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones" --> \.mkv$

delay_pools 3

#Canal 1 extensiones.
delay_class 1 1
delay_parameters 1 32768/32768
delay_access 1 allow extensiones !navegacion !lento !sociales !correos
delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 1
delay_parameters 2 65536/65536
delay_access 2 allow navegacion !lento !sociales !correos !extensiones
delay_access 2 deny all

#Canal 3 para cosas lentas.
delay_class 3 1
delay_parameters 3 8192/16384
delay_access 3 allow lento sociales correos !navegacion !extensiones
delay_access 3 deny all

But my sqstat shows the use of delay pool # 2, # 1 and # 3 are disable. On youtube shows delay_pool=0.

I put the following configuration but I was unable to make it work. Again only delay pool # 2 was the only who worked this time.


delay_pools 3
Processing: delay_class 1 1
delay_parameters 1 32768/32768
delay_access 1 allow extensiones !navegacion !lento !sociales !correos
delay_class 2 1
delay_parameters 2 65536/65536
delay_access 2 allow navegacion !lento !sociales !correos !extensiones
delay_class 3 1
delay_parameters 3 8192/16384
delay_access 3 allow lento sociales correos !navegacion !extensiones

Im using squid 3.3.8 on ubuntu 14.04.
-- 
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Amos Jeffries
Administrator
On 23/09/17 02:31, Alex Gutiérrez Martínez wrote:
> Could someone be so kind  to explain to me why my rules do not work on
> my delays pools?
>
...

>
> Thanks again Mr. Jeffries, i change my delay to:
>
> acl navegación src 192.168.9.0/24
>
> acl lento dstdomain "/etc/squid3/bloqueo/lento"   --> .youtube.com
>
> acl sociales dstdomain "/etc/squid3/bloqueo/sociales"  --> .linkedin.com
>
> acl correos dstdomain "/etc/squid3/bloqueo/correos" -->.mail.yahoo.com
>
> acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
> --> \.mkv$
>
> delay_pools 3
>
> #Canal 1 extensiones.
> delay_class 1 1
> delay_parameters 1 32768/32768
> delay_access 1 allow extensiones !navegacion !lento !sociales !correos
> delay_access 1 deny all
>
> #Canal 2 para usuarios.
> delay_class 2 1
> delay_parameters 2 65536/65536
> delay_access 2 allow navegacion !lento !sociales !correos !extensiones
> delay_access 2 deny all
>
> #Canal 3 para cosas lentas.
> delay_class 3 1
> delay_parameters 3 8192/16384
> delay_access 3 allow lento sociales correos !navegacion !extensiones
> delay_access 3 deny all
>
> But my sqstat shows the use of delay pool # 2, # 1 and # 3 are disable.
> On youtube shows delay_pool=0.
>
> I put the following configuration but I was unable to make it work.
> Again only delay pool # 2 was the only who worked this time.


Pool #3 requires the domain name of a single transaction to
simultaneously be *mail.yahoo.com AND *.linkedin.com AND *.youtube.com
  Obviously that is impossible, so nothing can match the line that allows.

Pool #1 should match a few things. But probably not what you are testing
with.

I suggest you try to re-write your ACLs in a simpler way with less '!'
(not) modifiers. The way you are compressing lots of things into each
line is no faster than multiple lines, but much harder to understand
what is going on.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Heiler Bemerguy
Amos, talking about delay pools, I have a question: does it work if the
content being served is on a cache peer?

I think it only "shapes" traffic from a SERVER to squid, right? not from
a peer cache to squid.. :/

I'm having problems because we use a huge Microsoft Updates repository
as a cache peer and whenever a client on a 512kbit/s link (!!!!!!!!!)
starts his box, all the link is flooded with updates from us to it.

htcp_access allow localnet
acl wu dstdom_regex \.download\.windowsupdate\.com$
acl wu-rejects dstdom_regex stats
acl GET method GET
cache_peer 10.1.10.10 parent 8081 0 proxy-only no-tproxy no-digest
no-query no-netdb-exchange name=ms1
cache_peer_access ms1 allow GET wu !wu-rejects
cache_peer_access ms1 deny all
never_direct allow GET wu !wu-rejects
never_direct deny all
cache deny wu
cache allow all

prefer_direct off

acl srcdaico src 10.71.0.0/16
delay_pools 1
delay_class 1 3
delay_access 1 allow srcdaico !dstlocal
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1 16000/16000


--
Atenciosamente / Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751


Em 22/09/2017 12:12, Amos Jeffries escreveu:

> On 23/09/17 02:31, Alex Gutiérrez Martínez wrote:
>> Could someone be so kind  to explain to me why my rules do not work on
>> my delays pools?
>>
> ...
>>
>> Thanks again Mr. Jeffries, i change my delay to:
>>
>> acl navegación src 192.168.9.0/24
>>
>> acl lento dstdomain "/etc/squid3/bloqueo/lento"   --> .youtube.com
>>
>> acl sociales dstdomain "/etc/squid3/bloqueo/sociales"  --> .linkedin.com
>>
>> acl correos dstdomain "/etc/squid3/bloqueo/correos" -->.mail.yahoo.com
>>
>> acl extensiones urlpath_regex -i
>> "/etc/squid3/bloqueo/listaextensiones" --> \.mkv$
>>
>> delay_pools 3
>>
>> #Canal 1 extensiones.
>> delay_class 1 1
>> delay_parameters 1 32768/32768
>> delay_access 1 allow extensiones !navegacion !lento !sociales !correos
>> delay_access 1 deny all
>>
>> #Canal 2 para usuarios.
>> delay_class 2 1
>> delay_parameters 2 65536/65536
>> delay_access 2 allow navegacion !lento !sociales !correos !extensiones
>> delay_access 2 deny all
>>
>> #Canal 3 para cosas lentas.
>> delay_class 3 1
>> delay_parameters 3 8192/16384
>> delay_access 3 allow lento sociales correos !navegacion !extensiones
>> delay_access 3 deny all
>>
>> But my sqstat shows the use of delay pool # 2, # 1 and # 3 are
>> disable. On youtube shows delay_pool=0.
>>
>> I put the following configuration but I was unable to make it work.
>> Again only delay pool # 2 was the only who worked this time.
>
>
> Pool #3 requires the domain name of a single transaction to
> simultaneously be *mail.yahoo.com AND *.linkedin.com AND *.youtube.com
>  Obviously that is impossible, so nothing can match the line that allows.
>
> Pool #1 should match a few things. But probably not what you are
> testing with.
>
> I suggest you try to re-write your ACLs in a simpler way with less '!'
> (not) modifiers. The way you are compressing lots of things into each
> line is no faster than multiple lines, but much harder to understand
> what is going on.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Alex Gutiérrez Martínez
In reply to this post by Alex Gutiérrez Martínez
Pool #3 requires the domain name of a single transaction to
simultaneously be *mail.yahoo.com AND *.linkedin.com AND *.youtube.com
   Obviously that is impossible, so nothing can match the line that allows.

Pool #1 should match a few things. But probably not what you are testing
with.

I suggest you try to re-write your ACLs in a simpler way with less '!'
(not) modifiers. The way you are compressing lots of things into each
line is no faster than multiple lines, but much harder to understand
what is going on.

#######################################################################
#######################################################################
#######################################################################
#######################################################################

Mr. Jeffries, I rewrite my acl´s on this ways:

# 1

#######################################################################

delay_pools 5

#Canal 1 extensiones.
delay_class 1 2
delay_access 1 allow extensiones
delay_access 1 deny navegacion lento sociales correos
delay_access 1 deny all
delay_parameters 1 16384/32768 32768/32768

#Canal 2 para usuarios.
delay_class 2 1
delay_access 2 allow navegacion
delay_access 2 deny lento sociales correos extensiones
delay_access 2 deny all
delay_parameters 2 65536/65536

#Canal 3 para cosas lentas.
delay_class 3 2
delay_access 3 allow lento
delay_access 3 deny navegacion extensiones sociales correos
delay_access 3 deny all
delay_parameters 3 4096/8192 8192/16384

#Canal 4 Sociales
delay_class 4 2
delay_access 4 allow sociales
delay_access 4 deny navegacion extensiones lento correos
delay_access 4 deny all
delay_parameters 4 4096/8192 8192/16384

#Canal 5 Correos
delay_class 5 2
delay_access 5 allow correos
delay_access 5 deny navegacion extensiones lento sociales
delay_access 5 deny all
delay_parameters 5 4096/8192 8192/16384

##############################################

#2

###################################################

delay_pools 5

#Canal 1 extensiones.
delay_class 1 2
delay_access 1 allow extensiones !navegacion !lento !sociales !correos
delay_access 1 deny all
delay_parameters 1 16384/32768 32768/32768

#Canal 2 para usuarios.
delay_class 2 1
delay_access 2 allow navegacion !lento !sociales !correos !extensiones
delay_access 2 deny all
delay_parameters 2 65536/65536

#Canal 3 para cosas lentas.
delay_class 3 2
delay_access 3 allow lento !navegacion !extensiones !sociales !correos
delay_access 3 deny all
delay_parameters 3 4096/8192 8192/16384

#Canal 4 Sociales
delay_class 4 2
delay_access 4 allow sociales !navegacion !extensiones !lento !correos
delay_access 4 deny all
delay_parameters 4 4096/8192 8192/16384

#Canal 5 Correos
delay_class 5 2
delay_access 5 allow correos !navegacion !extensiones !lento !sociales
delay_access 5 deny all
delay_parameters 5 4096/8192 8192/16384

#####################################################

#3

#######################################################

delay_pools 5

#Canal 1 extensiones.
delay_class 1 2
delay_access 1 allow extensiones
delay_access 1 deny all
delay_parameters 1 16384/32768 32768/32768

#Canal 2 para usuarios.
delay_class 2 1
delay_access 2 allow navegacion
delay_access 2 deny all
delay_parameters 2 65536/65536

#Canal 3 para cosas lentas.
delay_class 3 2
delay_access 3 allow lento
delay_access 3 deny all
delay_parameters 3 4096/8192 8192/16384

#Canal 4 Sociales
delay_class 4 2
delay_access 4 allow sociales
delay_access 4 deny all
delay_parameters 4 4096/8192 8192/16384

#Canal 5 Correos
delay_class 5 2
delay_access 5 allow correos
delay_access 5 deny all
delay_parameters 5 4096/8192 8192/16384
####################################################


Every request fails, only delay pool 2 is on use, execpt for example #
2, in that case every request was transfer to delay pool # 1.

Any suggestions?

--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Amos Jeffries
Administrator
In reply to this post by Heiler Bemerguy
On 23/09/17 03:48, Heiler Bemerguy wrote:
> Amos, talking about delay pools, I have a question: does it work if the
> content being served is on a cache peer?
>

It should, yes. Peers are no different than any other server in terms of
I/O bytes.

The only thing I'm aware of in current Squid is maybe bugs with CONNECT
tunnels. Older Squid the pools were a bit broken - I've not had any
recent feedback about those bugs, some are still open but may have been
fixed as side effects of other changes.


> I think it only "shapes" traffic from a SERVER to squid, right? not from
> a peer cache to squid.. :/

Peer is just a server with some statically configured parameters -
traffic format, routing ACLs, etc.

>
> I'm having problems because we use a huge Microsoft Updates repository
> as a cache peer and whenever a client on a 512kbit/s link (!!!!!!!!!)
> starts his box, all the link is flooded with updates from us to it.

WU .cab files should be cacheable objects. Delay pools do not apply to
HIT traffic, and REFRESH traffic is intentionally *much* smaller in
terms of bytes to the server. So you can end up with delay pool shaping
1-2 KB of Squid<->server data and the client receiving GB sized files.




> htcp_access allow localnet
> acl wu dstdom_regex \.download\.windowsupdate\.com$

Sigh. The above is a complex and CPU intensive way to write:

  acl wu dstdomain .download.windowsupdate.com


Rule of thumb: when there is an alternative - avoid regex.


> acl wu-rejects dstdom_regex stats
> acl GET method GET
> cache_peer 10.1.10.10 parent 8081 0 proxy-only no-tproxy no-digest
> no-query no-netdb-exchange name=ms1
> cache_peer_access ms1 allow GET wu !wu-rejects
> cache_peer_access ms1 deny all
> never_direct allow GET wu !wu-rejects
> never_direct deny all
> cache deny wu
> cache allow all
>
> prefer_direct off
>
> acl srcdaico src 10.71.0.0/16
> delay_pools 1
> delay_class 1 3
> delay_access 1 allow srcdaico !dstlocal

I suspect this dstlocal is the reason for the peer not being delayed.
Check that the peer IP is not in any of its ranges.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: delay pool not workin

Amos Jeffries
Administrator
In reply to this post by Alex Gutiérrez Martínez
On 23/09/17 04:30, Alex Gutiérrez Martínez wrote:

> Pool #3 requires the domain name of a single transaction to
> simultaneously be *mail.yahoo.com AND *.linkedin.com AND *.youtube.com
>    Obviously that is impossible, so nothing can match the line that allows.
>
> Pool #1 should match a few things. But probably not what you are testing
> with.
>
> I suggest you try to re-write your ACLs in a simpler way with less '!'
> (not) modifiers. The way you are compressing lots of things into each
> line is no faster than multiple lines, but much harder to understand
> what is going on.
>
> #######################################################################
> #######################################################################
> #######################################################################
> #######################################################################
>
> Mr. Jeffries, I rewrite my acl´s on this ways:
>
...
>
> Every request fails, only delay pool 2 is on use, execpt for example #
> 2, in that case every request was transfer to delay pool # 1.
>
> Any suggestions?
>

Lets go back to the beginning;

Write out your policy rules in human words for me please, then we can
simplify that version of them before converting to Squid ACLs.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users