Nazaretyan's blog blog about everthing ….

8Dec/090

squid+apache = good cache, protection from ddos

just reconfigured my webserver runing on localhost :) why?

read under ....

1. what is best practice to have good performance ? - CACHE ! which means if your webserver know where is file(image,song, swf .. etc) located on hard drive and already opened it ones with another customer, why it must be opened second time ? with webserver ? it will make a good lick on performace site if youre runing heavy site with lot of pictures.

2. what is the best program for working on many simple GET/POST/CONNECT requests ? - Squid - caching proxy server runing under Linux and using all power of linux fs for making cache and make it fast :)

i just made a hibrid combination on my squid ( runing on 80 port) and apache (runing on 127.0.0.1:80).

here is simple config of my squid

http_port 62.75.250.93:80 transparent

icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_swap_low 64
cache_swap_high 128

maximum_object_size 2048 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
fqdncache_size 2048

cache_dir ufs /tmp/squid 2000 11 11
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /dev/null

hosts_file /etc/hosts
dns_nameservers  127.0.0.1

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

peer_connect_timeout 30 seconds

acl all src 0.0.0.0/0.0.0.0
acl site dst 127.0.0.1/32

acl max_con maxconn 20
http_access deny max_con all

forwarded_for off

http_access deny all !site
http_reply_access deny all !site
icp_access deny all !site
miss_access deny  all !site

cache_effective_user proxy
cache_effective_group proxy

visible_hostname  Wishmaster

cache_mgr moushegh@nazaretyan.com

always_direct allow all
never_direct deny all

on apache you just need to change Virtual host and LISTEN to 127.0.0.1 (remeber to add your host under localhost at /etc/hosts)

max_con - is a acl that will not allow more then 20 concurrent connections from 1 IP - good method for protecting from http get and syn flood attacks :)

any questions ? ready to answer on comments or via skype

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

No trackbacks yet.

» «

Pages

Recent Comments

Tags

ad admin antiddos apache balancing cache cache administrator Cisco debain debian dynamic avatar dynavatar firewall freeradius gnu how to how to httpd iphone iproute iproute2 ipv4 ipv6 IT support Linux manual me net-tools Network OpenVPN OpenWRT php PoPToP Point to Point Tunneling Server PPTP reset restart root route samba Sonicwall squid squid 2.6 vpn windows WRT

Blogroll

Get Adobe Flash playerPlugin by wpburn.com wordpress themes