On Mon, 7 Feb 2011 10:40:42 -0500, Michael Grasso wrote: > I'm receiving the below congestion warning several times a day. I'm > wondering if this is anything to be concerned about. > > 2011/02/07 10:06:07| squidaio_queue_request: WARNING - Queue congestion > It's to be expected shortly after startup if you have lots if users. Gets printed every time squid doubles the If you are getting it regularly it is probably a sign that your Squid is crashing or restarting. > My squid.con file is below: > > # > # Recommended minimum configuration: > # > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > acl localnet src 10.10.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > > acl SSL_ports port 443 > acl SSL_ports port 7001 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > acl snmppublic snmp_community cadc > acl snmpsrv src 10.10.2.202 > snmp_access allow snmppublic snmpsrv > snmp_incoming_address 10.10.2.226 > snmp_port 3401 > > acl malware_block_list url_regex -i > "/usr/local/squid/malware_block_list.txt" > http_access deny malware_block_list > deny_info http://intranet.cadc.circdc.dcn/malwarealert/malware.htm > malware_block_list > In an unrelated optimization... You may want to move this down to directly underneath the "INSERT YOUR OWN RULE(S) HERE". The Safe_ports and SSL_ports checks are more efficient, the determining factor is whether there are malware requests they catch which you want to get that reply page. > # > # Recommended minimum Access Permission configuration: > # > # Only allow cachemgr access from localhost > http_access allow manager snmpsrv > http_access deny manager > > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > http_port 10.10.2.226:3128 > > # We recommend you to use at least the following line. > hierarchy_stoplist cgi-bin ? > > # Uncomment and adjust the following to add a disk cache directory. > cache_replacement_policy heap GDSF > cache_dir aufs /cache1/cache 16384 16 256 > cache_dir aufs /cache2/cache 16384 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /usr/local/squid/var/cache > > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service service_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > adaptation_access service_req allow all > icap_service service_resp respmod_precahe bypass=1 > icap://127.0.0.1:1344/squidclamav > adaptation_access service_resp allow all > > cache_access_log none FYI: The above directive is named just "access log". > cache_mgr mgrasso@xxxxxxxxxxxxxxxxx > ftp_user squid@xxxxxxxxxxxxxxxxx > cache_mem 512 MB > dns_nameservers 10.10.2.214 10.10.2.215 > refresh_all_ims on > memory_replacement_policy heap GDSF > maximum_object_size_in_memory 1024 KB > shutdown_lifetime 5 seconds > client_db off > > > The server has two dual core processors, 8 GB of RAM and two 15K hard > drives for my aufs cache volumes. > I just put the server into production and it has about 50 users configured > to use the proxy. > > Any help is appreciated. It's unclear what would be causing disk overloads from that config. The possibilities that come to mind are ICAP doing disk things or a flood of traffic from your clients causing a high hit rate. Amos
