With more attention focused on security, many administrators filter UDP packets to port 7. The Computer Emergency Response Team (CERT) once issued an advisory note ( CA-96.01: UDP Port Denial-of-Service Attack) that says UDP echo and chargen services can be used for a denial of service attack. This made admins extremely nervous about any packets hitting port 7 on their systems, and they made complaints.

The source_ping feature has been disabled in Squid-2. If you're seeing packets to port 7 that are coming from a Squid cache (remote port 3130), then its probably a very old version of Squid.

12.29 What does ``WARNING: Reply from unknown nameserver [a.b.c.d]'' mean?

It means Squid sent a DNS query to one IP address, but the response came back from a different IP address. By default Squid checks that the addresses match. If not, Squid ignores the response.

There are a number of reasons why this would happen:

Your DNS name server just works this way, either becuase its been configured to, or because its stupid and doesn't know any better.
You have a weird broadcast address, like 0.0.0.0, in your /etc/resolv.conf file.
Somebody is trying to send spoofed DNS responses to your cache.

If you recognize the IP address in the warning as one of your name server hosts, then its probably numbers (1) or (2).

You can make these warnings stop, and allow responses from ``unknown'' name servers by setting this configuration option:

        ignore_unknown_nameservers off

12.30 How does Squid distribute cache files among the available directories?

Note: The information here is current for version 2.2.

See storeDirMapAllocate() in the source code.

When Squid wants to create a new disk file for storing an object, it first selects which cache_dir the object will go into. This is done with the storeDirSelectSwapDir() function. If you have N cache directories, the function identifies the 3N/4 (75%) of them with the most available space. These directories are then used, in order of having the most available space. When Squid has stored one URL to each of the 3N/4 cache_dir's, the process repeats and storeDirSelectSwapDir() finds a new set of 3N/4 cache directories with the most available space.

Once the cache_dir has been selected, the next step is to find an available swap file number. This is accomplished by checking the file map, with the file_map_allocate() function. Essentially the swap file numbers are allocated sequentially. For example, if the last number allocated happens to be 1000, then the next one will be the first number after 1000 that is not already being used.

12.31 Why do I see negative byte hit ratio?

Byte hit ratio is calculated a bit differently than Request hit ratio. Squid counts the number of bytes read from the network on the server-side, and the number of bytes written to the client-side. The byte hit ratio is calculated as

        (client_bytes - server_bytes) / client_bytes

If server_bytes is greater than client_bytes, you end up with a negative value.

The server_bytes may be greater than client_bytes for a number of reasons, including:

Cache Digests and other internally generated requests. Cache Digest messages are quite large. They are counted in the server_bytes, but since they are consumed internally, they do not count in client_bytes.
User-aborted requests. If your quick_abort setting allows it, Squid sometimes continues to fetch aborted requests from the server-side, without sending any data to the client-side.
Some range requests, in combination with Squid bugs, can consume more bandwidth on the server-side than on the client-side. In a range request, the client is asking for only some part of the object. Squid may decide to retrieve the whole object anyway, so that it can be used later on. This means downloading more from the server than sending to the client. You can affect this behavior with the range_offset_limit option.

12.32 What does ``Disabling use of private keys'' mean?

First you need to understand the difference between public and private keys.

When Squid sends ICP queries, it uses the ICP reqnum field to hold the private key data. In other words, when Squid gets an ICP reply, it uses the reqnum value to build the private cache key for the pending object.

Some ICP implementations always set the reqnum field to zero when they send a reply. Squid can not use private cache keys with such neighbor caches because Squid will not be able to locate cache keys for those ICP replies. Thus, if Squid detects a neighbor cache that sends zero reqnum's, it disables the use of private cache keys.

Not having private cache keys has some important privacy implications. Two users could receive one response that was meant for only one of the users. This response could contain personal, confidential information. You will need to disable the ``zero reqnum'' neighbor if you want Squid to use private cache keys.

12.33 What is a half-closed filedescriptor?

TCP allows connections to be in a ``half-closed'' state. This is accomplished with the shutdown(2) system call. In Squid, this means that a client has closed its side of the connection for writing, but leaves it open for reading. Half-closed connections are tricky because Squid can't tell the difference between a half-closed connection, and a fully closed one.

If Squid tries to read a connection, and read() returns 0, and Squid knows that the client doesn't have the whole response yet, Squid puts marks the filedescriptor as half-closed. Most likely the client has aborted the request and the connection is really closed. However, there is a slight chance that the client is using the shutdown() call, and that it can still read the response.

To disable half-closed connections, simply put this in squid.conf:

        half_closed_clients off

Then, Squid will always close its side of the connection instead of marking it as half-closed.

12.34 What does --enable-heap-replacement do?

Squid has traditionally used an LRU replacement algorithm. As of version 2.3, you can use some other replacement algorithms by using the --enable-heap-replacement configure option. Currently, the heap replacement code supports two additional algorithms: LFUDA, and GDS.

With Squid version 2.4 and later you should use this configure option:

./configure --enable-removal-policies=heap

Then, in squid.conf, you can select different policies with the cache_replacement_policy option. See the squid.conf comments for details.

The LFUDA and GDS replacement code was contributed by John Dilley and others from Hewlett-Packard. Their work is described in these papers:

Enhancement and Validation of Squid's Cache Replacement Policy (HP Tech Report).
Enhancement and Validation of the Squid Cache Replacement Policy (WCW 1999 paper).

12.35 Why is actual filesystem space used greater than what Squid thinks?

If you compare df output and cachemgr storedir output, you will notice that actual disk usage is greater than what Squid reports. This may be due to a number of reasons:

Squid doesn't keep track of the size of the swap.state file, which normally resides on each cache_dir.
Directory entries and take up filesystem space.
Other applications might be using the same disk partition.
Your filesystem