Installing Squid for a Frontier launchpad
Every Frontier launchpad machine runs frontier-squid in addition to a frontier-tomcat. This squid is configured in what as known as a "reverse proxy" which automatically forwards all connections to the backend server process.
Hardware
The hardware requirements for squid on a launchpad tend to be much less than on a site proxy squid, because the bandwidth requested and the number of queries requested is usually much lower. That is because launchpads usually have far fewer clients: only other squids rather than worker node jobs. The recommended disk space for launchpads are at least 100GB for squid cache and 60GB for squid logs.
Software
Preparation
It is best if you set the user and group id for squid to be the same as that used for tomcat as described in the
InstallSquid Preparation section.
Installation
For installation, use the
regular InstallSquid Installation instructions. Increase the file descriptors to 16384 as shown in
the section on running out of file descriptors.
If you have yum auto updates enabled, it's generally not a good idea to autoupdate the application service on a production system. If you have autoupdates enabled it is recommended to avoid updating frontier packages. Some ways to handle this are:
- Keep the frontier-* rpms in a local mirror repository instead
- Set
enabled=0
in /etc/yum.repos.d/cern-frontier.repo
. Then to really upgrade, add the yum install option --enablerepo=cern-frontier
.
- Add
exclude=frontier-*
in /etc/yum.repos.d/cern-frontier.repo
. Then when you want to really upgrade, add the yum install option --disableexcludes=cern-frontier
.
Configuration
In addition to the
regular InstallSquid Configuration instructions, add these
/etc/squid/customize.sh
entries for launchpads:
setoption("http_port", "8000 accel defaultsite=127.0.0.1:8080 no-vhost")
setoption("cache_peer", "127.0.0.1 parent 8080 0 no-query originserver")
commentout("acl NET_LOCAL src")
commentout("http_access allow NET_LOCAL")
insertline("^http_access deny all", "http_access allow to_localhost")
setoption("read_ahead_gap", "100 MB")
setoption("shutdown_lifetime", "0 seconds")
Also set the default maximum squid per-log size in
/etc/sysconfig/frontier-squid
as described on
the InstallSquid page.
Cloudflare configuration
Cloudflare supports only port 8080 (besides 80), so the first difference is to
change the tomcat port number to 8880 and change the 8080 in the cache_peer parent line above to 8880. Next,
set up the squid for 2 services so the caches can be separately managed. Instead of setting the http_port directly with setserviceoption, use the following:
if ($1 == "http_port") {
print "if ${service_name} = 0"
$0 = "http_port 8000 accel defaultsite=127.0.0.1:8880 no-vhost"
print
print "else"
$2 = "8080"
print
print "endif"
$0 = ""
}
In order to set the size of the cache for Cloudflare to a smaller amount than the primary cache, such as 10GB, use the following and set the primary size on the third line:
if ($1 == "cache_dir") {
print "if ${service_name} = 0"
$4 = "100000"
print
print "else"
$4 = "10000"
print
print "endif"
$0 = ""
}
Finally, at the very end of the script after the awk script add the following:
cat <<'!EOF!'
if ${service_name} = 1
request_header_add X-Frontier-Opts DontCacheErrors all
endif
!EOF!
Testing
Use the
regular InstallSquid Testing instructions, except don't set http_proxy, replace cmsfrontier.cern.ch with the name of your server, and replace FrontierProd with the name of your servlet.
Responsible:
DaveDykstra