> -----Original Message----- > From: Alex [mailto:linuxro@xxxxxxxxx] > Sent: Sunday, September 25, 2005 2:54 AM > > On Saturday 24 September 2005 21:15, Matus UHLAR - fantomas wrote: > > > > Okay... These look pretty good. Hits are fast, misses are okay, DNS > > > > requests are about what I would expect... I'm a bit perplexed. What > > > > are the symptoms of slow connections? Is it throughput on large > > > > downloads, pages with lots of connections (msn.com with it's thousands > > > > of images), does it just take forever for a connection to get started, > > > > or is it something else entirely? > > > > On 24.09 15:21, Alex wrote: > > > NO, the situation is very simple: not matter content of page. Even if > > > www.google.com is accesed, it take more then 20-30s to load/display it > > > correctly. Without squid, www.google.com is loaded instantly! > > > > ehm, this might be caused by: > > > > 1. clients connect from IP's not in DNS, and your squid checks for their > > reverse (and probably direct) DNS informations > > I don't think so... Indeed, for our clients, i haven't > configured 10.0.0.rev > zone in our DNS (i am using split view dns configuration and > all our clients > queries are comming from: 10.0.x.0/24 subnets, where x = 1 up to 10), > but .... If you are right, why in the morning or in the > afternoon, squid is > working ok? Something is being overloaded at mid day. From the statistics you have provided, it's not Squid. You stated that a connection to Google takes 20-30 seconds to complete, but don't give details on what happens during the wait. Do parts of the page load (i.e. the text but not the logo), or is it a long wait and then the page suddenly appears? > > > 2. you are requiring ident for them, they are firewalled and don't support > > ident requests > > no, we are in a vpn and for our internal IP address we are > passing almost all > traffic... What's the name of squid directive which > enable/disable ident > requests? As far as I recall, ident lookups have to be compiled into Squid. Looking at the squid.conf.default I find "By default, ident lookups are not performed for any requests", and looking at your squid.conf I don't see you requesting ident info. I also don't see anything that should cause reverse DNS lookups. > > > > > for 99% it's the first case. turn off dns checking in squid, or better, fix > > your internal DNS. > > HOW CAN I TURN OFF DNS CHECKING IN SQUID ... log_fqdn > directive is turned off > by default.... Don't use acls such as srcdomain or srcdom_regex. You aren't so I don't think this is the issue here. At a busy point (when requests are blocking) check the "Internal DNS Statistics" page. That should show you which DNS servers are being queried. Output of "netstat -tapn" might be helpful as well. Lastly, running "squid -k debug" while under high load waiting a few seconds and then running "squid -k debug" again (to turn debugging off) and then checking cache_log for details can reveal other problems. It's sounding very much like a DNS server being overloaded or a problem with creating outgoing requests (firewall, OS limitation, etc). > > Here comes my squid.conf > > http_port 3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_mem 256 MB > maximum_object_size 32768 KB > maximum_object_size_in_memory 64 KB > cache_replacement_policy heap GDSF > memory_replacement_policy heap GDSF > cache_dir aufs /var/spool/squid 20480 16 256 > cache_store_log none > ftp_user squid@xxxxxxxxx > auth_param basic children 100 > auth_param basic realm Squid proxy-caching server > auth_param basic program /usr/lib/squid/pam_auth > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > half_closed_clients off > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl lanpass proxy_auth REQUIRED > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow lanpass > http_access deny all > http_reply_access allow all > icp_access allow all > cache_mgr admin@xxxxxxxxx > visible_hostname proxy.mydoom.ro > announce_period 0 > log_icp_queries off > cachemgr_passwd *** all > buffered_logs on > coredump_dir /var/spool/squid > client_persistent_connections off > > Alex > Chris
