Scott Anctil wrote:
I have deployed a Squid server for a local school board to help with
there ever increasing bandwidth issues. It is running Squid 2.6 Stable
16 under Ubuntu 7.10 server on a HP DL380. This server has 2GB of RAM, 2
dual core 3.06 GHz processors and 288 GB of SAS 15k storage (RAID). I am
using NTLM authentication. We have only two schools running on it
(300-500 concurrent connections) and the box is already running at
30-50% CPU consistently. The one time we tried all of the schools
(1000-4000 concurrent connections) the box went to 100% CPU solid and
users were dropping pages. I have been scouring the internet for answers
and have made a number of changes, none of which have helped. Should I
not be expecting more out of this box? Here are the options I used to
compile.
Assuming you mean 300-400 people using the cache, you should expect
more. Tips below...
./configure --with-maxfd=4096 --prefix=/usr/local/squid
--enable-basic-auth-helpers="SMB" --enable-ntlm-auth-helpers="SMB"
--enable-external-acl-helpers="wbinfo_group" --enable-auth="basic,ntlm"
--with-winbind-auth-challenge
Here is my squid.conf
#######################
# Basic Configuration #
#######################
visible_hostname ***************
http_port 3128
cache_dir ufs /usr/local/squid/cache 50000 15 256
aufs is a better choice for a proxy that's going to be heavily used, but
I think it's going to require a recompile.
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
tcp_outgoing_address 10.1.10.211
append_domain *****************
httpd_suppress_version_string on
cache_effective_user squid
authenticate_ttl 24 hours
authenticate_ip_ttl 15 minutes
#############
# Log Files #
#############
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
You might consider dumping the store log.
###################
# Control Caching #
###################
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern cgi-bin 1 20% 2
refresh_pattern \.asp$ 1 20% 2
refresh_pattern \.acgi$ 1 20% 2
refresh_pattern \.cgi$ 1 20% 2
refresh_pattern \.pl$ 1 20% 2
refresh_pattern \.shtml$ 1 20% 2
refresh_pattern \.php3$ 1 20% 2
refresh_pattern \? 1 20% 2
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 480 50% 22160
refresh_pattern \.htm$ 480 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 480 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 480 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 480 50% 22160
refresh_pattern \.mpg$ 10080 90% 43200
refresh_pattern \.pdf$ 10080 90% 43200
refresh_pattern \.art$ 10080 90% 43200
refresh_pattern \.swf$ 10080 90% 43200
refresh_pattern \.mp3$ 10080 90% 43200
refresh_pattern \.ra$ 10080 90% 43200
refresh_pattern \.spl$ 10080 90% 43200
refresh_pattern \.viv$ 10080 90% 43200
refresh_pattern \.doc$ 10080 90% 43200
refresh_pattern \.gz$ 10080 90% 43200
refresh_pattern \.Z$ 10080 90% 43200
refresh_pattern \.tgz$ 10080 90% 43200
refresh_pattern \.tar$ 10080 90% 43200
refresh_pattern \.vrm$ 10080 90% 43200
refresh_pattern \.vrml$ 10080 90% 43200
refresh_pattern \.aif$ 10080 90% 43200
refresh_pattern \.aifc$ 10080 90% 43200
refresh_pattern \.aiff$ 10080 90% 43200
refresh_pattern \.arj$ 10080 90% 43200
refresh_pattern \.c$ 10080 90% 43200
refresh_pattern \.cpt$ 10080 90% 43200
refresh_pattern \.dir$ 10080 90% 43200
refresh_pattern \.dxr$ 10080 90% 43200
refresh_pattern \.hqx$ 10080 90% 43200
refresh_pattern \.jpe$ 10080 90% 43200
refresh_pattern \.lha$ 10080 90% 43200
refresh_pattern \.lzh$ 10080 90% 43200
refresh_pattern \.midi$ 10080 90% 43200
refresh_pattern \.movie$ 10080 90% 43200
refresh_pattern \.mp2$ 10080 90% 43200
refresh_pattern \.mpe$ 10080 90% 43200
refresh_pattern \.mpeg$ 10080 90% 43200
refresh_pattern \.mpga$ 10080 90% 43200
refresh_pattern \.pl$ 10080 90% 43200
refresh_pattern \.ppt$ 10080 90% 43200
refresh_pattern \.ps$ 10080 90% 43200
refresh_pattern \.qt$ 10080 90% 43200
refresh_pattern \.qtm$ 10080 90% 43200
refresh_pattern \.ras$ 10080 90% 43200
refresh_pattern \.sea$ 10080 90% 43200
refresh_pattern \.sit$ 10080 90% 43200
refresh_pattern \.tif$ 10080 90% 43200
refresh_pattern \.tiff$ 10080 90% 43200
refresh_pattern \.snd$ 10080 90% 43200
refresh_pattern \.wrl$ 10080 90% 43200
refresh_pattern ^ftp:// 480 60% 22160
refresh_pattern ^gopher:// 30 20% 120
refresh_pattern . 480 50% 22160
acl post_requests method POST
cache deny post_requests
acl No_Cache_Sites url_regex "/usr/local/squid/etc/squid-no_cache.acl"
This could be the start of your problems. What does this file look
like? Can you use a dstdomain acl instead of the url_regex?
no_cache deny No_Cache_Sites
##########################################
# Enable the NTLM Authentication Program #
##########################################
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 25
auth_param ntlm children 25
auth_param ntlm keep_alive on
########
# ACLs #
########
external_acl_type nt_group ttl=60 children=25 protocol=2.5 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
I don't think that the 24 hour authenticate_ttl is going to have any
effect on the caching of the results from this external_acl. How
quickly does someone who was put in the Student's group need to be
brought out? Could you up the ttl here to 300 (5 minutes)?
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_Ports port 80
acl Safe_Ports port 21
acl Safe_Ports port 9080
acl Safe_Ports port 812
acl Safe_Ports port 9090
acl Safe_Ports port 8090
acl Safe_Ports port 9000
acl Safe_Ports port 22
acl Safe_Ports port 88
acl Safe_Ports port 8000
acl Safe_Ports port 8008
acl SSL_Ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl NTLMUsers proxy_auth REQUIRED
acl Students external nt_group students
acl Blocked_Sites url_regex "/usr/local/squid/etc/squid-block.acl"
acl Bypass_Sites url_regex "/usr/local/squid/etc/squid-bypass.acl"
More regex. Perhaps some of these would be good candidates for
dstdomain as well.
##################
# Control Access #
##################
http_access allow Bypass_Sites
http_access deny Blocked_Sites
http_access deny SSL_Ports NTLMUsers Students
http_access allow Safe_Ports NTLMUsers Students
http_access deny NTLMUsers Students
http_access allow NTLMUsers
Not performance related, but you probably want to swap the order of
these two blocks...
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
As it stands now, you are allowing connections to non Safe_ports (and
allowing CONNECT to any port) if the destination is one of the Bypass_Sites.
http_access deny all
icp_access allow all
Help!
Scott
sanctil(at)wescotttech.com
I'd have to guess that it's the regex that's killing your performance.
See http://www.squid-cache.org/mail-archive/squid-users/200411/0179.html
for the schooling I received on the subject.
Chris
