Re: squid consuming too much processor/cpu

[Marcello Romani <mromani@xxxxxxxxxxxxxxx>]

Muhammad Sharfuddin ha scritto:
> On Mon, 2010-03-22 at 19:27 +1300, Amos Jeffries wrote:
> > > Thanks list for help.
> > >
> > > restarting squid is not a solution, I noticed only after 20 minutes
> > > after restarting, squid started consuming/eating CPU again.
> > >
> > > On Wed, 2010-03-17 at 19:54 +1100, Ivan . wrote:
> > > > you might want to check out this thread
> > > > http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg56216.html
> > > Neither I installed any package.. i.e not checked
> > >
> > > On Wed, 2010-03-17 at 05:27 -0700, George Herbert wrote:
> > > > or install the Google malloc library and recompile Squid to
> > > > use it instead of default gcc malloc.
> > > On Wed, 2010-03-17 at 15:01 +0200, Henrik K wrote:
> > > > If the system regex is issue, wouldn't it be better/simpler to just
> > > > compile
> > > > with PCRE? (LDFLAGS="-lpcreposix -lpcre"). It doesn't leak and as a bonus
> > > > makes your REs faster.
> > > Nor I re-compiled Squid, as I have to use binary/rpm version of squid
> > > that shipped with the Distro I am using
> > >
> > > issue resolved via removing acl that blocked almost 60K urls/domains
> > >
> > > commenting following worked
> > > ##acl porn_deny url_regex "/etc/squid/domains.deny"
> > > ##http_access deny porn_deny
> > >
> > > so how can I deny illegal contents/website ?
> > If those were actually domain names...
> they are both urls and domain
>
> >   * use "dstdomain" type instead of regex.
> ok nice suggestion
>
>
> > Optimize order of ACLs so do most rejections as soon as possible with 
> > fastest match types.
>>
> I think its optimized, as the rule(squeezing cpu) is the first rule in
> squid.conf

That's the exact opposite of "optimizing" as the cpu-consuming rule is 
_always_ executed.
First rules should be non-cpu consuming (i.e. non-regexp) and should 
block most of the traffic, leaving the cpu-consuming ones at the bottom, 
ralrely executed.

> > If you don't mind sharing your squid.conf access lines we can work 
> > through optimizing with you.
> I posted squid.conf when I start this thread/topic, but I have no issue
> posting it again ;)

I think he meant the list of blocked sites / url.

> squid.conf:
> acl myFTP port   20  21
> acl ftp_ipes src "/etc/squid/ftp_ipes.txt"
> http_access allow ftp_ipes myFTP
> http_access deny myFTP
>
> #### this is the acl eating CPU #####
> acl porn_deny url_regex "/etc/squid/domains.deny"
> http_access deny porn_deny
> ###############################
>
> acl vip src "/etc/squid/vip_ipes.txt"
> http_access allow vip
>
> acl entweb url_regex "/etc/squid/entwebsites.txt"
> http_access deny entweb
>
> acl mynet src "/etc/squid/allowed_ipes.txt"
> http_access allow mynet
>
> > Amos


--
Marcello Romani