Getting Squid3 to not cache *.archive.ubuntu.com

[SeijiSensei]

I never use the *.archive.ubuntu.com hosts. The US ones are routinely slower than mirrors. I usually pick either a local university from the mirror list or a high-bandwidth site like mirrors.xx.kernel.org and use that instead. Taking that approach limits the number of IP address for which you'd need to write a rule. For instance, mirrors.us.kernel.org resolves to just two IPs, 149.20.20.135 and 149.20.4.71.

For security.ubuntu.com, I get these IPv4 addresses:

Code:

$ host security.ubuntu.com
security.ubuntu.com has address 91.189.92.201
security.ubuntu.com has address 91.189.92.202
security.ubuntu.com has address 91.189.91.13
security.ubuntu.com has address 91.189.91.14
security.ubuntu.com has address 91.189.91.15
security.ubuntu.com has address 91.189.92.181
security.ubuntu.com has address 91.189.92.184
security.ubuntu.com has address 91.189.92.190

Rather than writing separate rules for each host, I'd just route 91.189.91.0/24 and 91.189.92.0/24 around the Squid proxy using the method I described above.

[Lars Noodén]

Here are the three ways I am trying within squid. Maybe I have made a mistake with them because even with these rules APT is still hitting the cache.

Code:

acl ubuntu dstdomain security.ubuntu.com
acl ubuntu dstdomain extras.ubuntu.com
acl ubuntu dstdomain fi.archive.ubuntu.com
always_direct allow ubuntu
cache deny ubuntu

acl straight_through dstdomain security.ubuntu.com
acl straight_through dstdomain extras.ubuntu.com
acl straight_through dstdomain fi.archive.ubuntu.com
cache deny straight_through

acl NO-CACHE-SITES dstdomain "/etc/squid/not-to-cache-sites.txt"
cache deny NO-CACHE-SITES

'/etc/squid/not-to-cache-sites.txt' contains the above domains.

extras and security don't seem to have as much trouble with proxying as *.archive.ubuntu.com does. Have I written it correctly?

[koenn]

Here are the three ways I am trying within squid. Maybe I have made a mistake with them because even with these rules APT is still hitting the cache.

Code:

acl NO-CACHE-SITES dstdomain "/etc/squid/not-to-cache-sites.txt"
cache deny NO-CACHE-SITES

'/etc/squid/not-to-cache-sites.txt' contains the above domains.

extras and security don't seem to have as much trouble with proxying as *.archive.ubuntu.com does. Have I written it correctly?

I don't see '*.archive.ubuntu.com' in your post. In any case, squid doesn't require a wildcard * ; '.archive.ubuntu.com' matches all hosts aans subdomains in the given domain (note the leading dot)

You should also distinguish between proxy and cache : I don't think you can bypass the proxy since your iptables will redirect the traffic towards it. The only thing you control is how squid handles the requests


Other idea :
While aimlesly wandering around, i came across this :

Code:

disable-pmtu-discovery=
			Control Path-MTU discovery usage:
			    off		lets OS decide on what to do (default).
			    transparent	disable PMTU discovery when transparent
					support is enabled.
			    always	disable always PMTU discovery.

			In many setups of transparently intercepting proxies
			Path-MTU discovery can not work on traffic towards the
			clients. This is the case when the intercepting device
			does not fully track connections and fails to forward
			ICMP must fragment messages to the cache server. If you
			have such setup and experience that certain clients
			sporadically hang or never complete requests set
			disable-pmtu-discovery option to 'transparent'.

it's an option to "port",
http://www.squid-cache.org/Versions/...http_port.html

assuming apt or the linux tcp/ip stack tries to do download optimizations wrt MTU discovery or something along those lines, a proxy interfering with MTU discovery (and the client being unaware of this situation because of the transparent redirect) might be what"s causing apt-get to hang. Meybe it's worth a shot.

[Lars Noodén]

I've restore the domain to .archive.ubuntu.com

disable-pmtu-discovery sounds like it has potential. Would the syntax for the option be like this?

http_port 127.0.0.1:3128 intercept disable-pmtu-discovery=transparent

[koenn]

Would the syntax for the option be like this?

http_port 127.0.0.1:3128 intercept disable-pmtu-discovery=transparent

that's also what i understood from that manual.
check what version of squid you're using too, apparently a lot is new in squid3; i don't know what the current version in Ubuntu is.

[Lars Noodén]

Only the client is Lubuntu. Squid is ver 3.2.11 on OpenBSD 5.3-stable.

I have another client running Debian Wheezy and it also doesn't like running APT through Squid. Both it and Lubuntu get stuck during 'apt-get update'