Installing Squid for a Frontier launchpad

Every Frontier launchpad machine runs frontier-squid in addition to a frontier-tomcat. This squid is configured in what as known as a "reverse proxy" which automatically forwards all connections to the backend server process.

Hardware

The hardware requirements for squid on a launchpad tend to be much less than on a site proxy squid, because the bandwidth requested and the number of queries requested is usually much lower. That is because launchpads usually have far fewer clients: only other squids rather than worker node jobs. The recommended disk space for launchpads are at least 100GB for squid cache and 60GB for squid logs.

Software

Preparation

It is best if you set the user and group id for squid to be the same as that used for tomcat as described in the InstallSquid Preparation section.

Installation

For installation, use the regular InstallSquid Installation instructions. Increase the file descriptors to 16384 as shown in the section on running out of file descriptors.

If you have yum auto updates enabled, it's generally not a good idea to autoupdate the application service on a production system. If you have autoupdates enabled it is recommended to avoid updating frontier packages. Some ways to handle this are:

• Keep the frontier-* rpms in a local mirror repository instead
• Set enabled=0 in /etc/yum.repos.d/cern-frontier.repo. Then to really upgrade, add the yum install option --enablerepo=cern-frontier.
• Add exclude=frontier-* in /etc/yum.repos.d/cern-frontier.repo. Then when you want to really upgrade, add the yum install option --disableexcludes=cern-frontier.

Configuration

In addition to the regular InstallSquid Configuration instructions, add these /etc/squid/customize.sh entries for launchpads:

    setoption("http_port", "8000 accel defaultsite=127.0.0.1:8080 no-vhost")
    setoption("cache_peer", "127.0.0.1 parent 8080 0 no-query originserver")
    commentout("acl NET_LOCAL src")
    commentout("http_access allow NET_LOCAL")
    insertline("^http_access deny all", "http_access allow to_localhost")
    setoption("read_ahead_gap", "100 MB")
    setoption("shutdown_lifetime", "0 seconds")

Also set the default maximum squid per-log size in /etc/sysconfig/frontier-squid as described on the InstallSquid page.

Cloudflare configuration

Cloudflare supports only port 8080 (besides 80), so the first difference is to change the tomcat port number to 8880 and change the 8080 in the cache_peer parent line above to 8880. Next, set up the squid for 2 services so the caches can be separately managed. Instead of setting the http_port directly with setserviceoption, use the following:

if ($1 == "http_port") {
    print "if ${service_name} = 0"
    $0 = "http_port 8000 accel defaultsite=127.0.0.1:8880 no-vhost"
    print
    print "else"
    $2 = "8080"
    print
    print "endif"
    $0 = ""
}

In order to set the size of the cache for Cloudflare to a smaller amount than the primary cache, such as 10GB, use the following and set the primary size on the third line:

if ($1 == "cache_dir") {
    print "if ${service_name} = 0"
    $4 = "100000"
    print
    print "else"
    $4 = "10000"
    print
    print "endif"
    $0 = ""
}

Finally, at the very end of the script after the awk script add the following:

cat <<'!EOF!'
if ${service_name} = 1
request_header_add X-Frontier-Opts DontCacheErrors all
endif
!EOF!

Testing

Use the regular InstallSquid Testing instructions, except don't set http_proxy, replace cmsfrontier.cern.ch with the name of your server, and replace FrontierProd with the name of your servlet.

Responsible: DaveDykstra