Search squid archive

Re: Slow Squid 2.6 Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25.09.2012 00:25, Art Bermas wrote:
Hello Everyone,

I've been experiencing a slow proxy on my second Squid box even
though its general configuration is the same as my first Squid box,
except of course for the IP. See below for details:

Squid Box 1 - Connected to a 3Mbps DSL. Used by majority of users for
internet browsing. Running on CentOS 5.8 with iptables configured.
IPtables preroute http requests to 3128. Hardware Intel C2Duo 1.86Ghz
8GB RAM

#SQUID BOX 1 CONFIGURATION
http_port 3128 transparent
cache_mem 50 MB
cache_dir ufs /var/spool/squid 500 16 256
maximum_object_size 1 MB
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
ftp_passive on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
request_body_max_size 4 MB
dns_nameservers x.x.x.x x.x.x.x


#Recommended minimum configuration:
acl ftp proto FTP
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 83          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
always_direct allow FTP

#Recommended minimum configuration:

#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports


# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#

acl walang_bawal src "/etc/squid/no_restrictions"
acl no_restrictions_but_no_porn src "/etc/squid/no_restrictions_but_no_porn"
acl mga_direktor src "/etc/squid/directors"
acl dept_heads_pms src "/etc/squid/dept_heads_pms"

acl neo src 172.16.64.50 # neo
#
#3D CGI
acl cgi002 src 172.16.64.177 # Mark
acl cgi003 src 172.16.64.93 # Czy
acl cgi004 src 172.16.64.92 # Amabel
acl cgi006 src 172.16.64.91 # Archie
acl cgi009 src 172.16.64.94 # Idol
acl tca001 src 172.16.64.96 # Allan
acl tca002 src 172.16.64.184 # Anthony
acl cgi019 src 172.16.64.214 # Animator
acl cgi007 src 172.16.64.179 # CGI

acl redondo3d src 172.16.64.207 #Mac Avid1 Chrysler
acl mac-g5 src 172.16.64.206 #Avid 2
acl sicily src 172.16.64.199 #retakes dept Jeff Gongon
acl missouri src 172.16.65.248 #Mitch
acl iriga src 172.16.65.188 #Mitch
acl calbayog src 172.16.65.171 #Reception

# ANG AMING PATAKARAN
acl business_hours time M T W H F A S 9:00-19:00
acl business_hours_MF time M T W H F 10:00-19:00
acl am_hours time M T W H F 00:00-05:00
acl pm_hours time M T W H F 15:00-17:00
acl facebook_time time M T W H F A S 12:00-14:00
acl utube_time time M T W H F A S 12:00-14:00
acl bad url_regex -i "/etc/squid/restrict-url.acl"
acl facebk dstdomain .facebook.com
acl utube dstdomain .youtube.com
acl bawal dstdom_regex "/etc/squid/bawal.list"
#acl goodsites dstdomain "/etc/squid/goodsites.acl"

#### THE ACCESS #####
#
#
# WALA ITONG KAHIT NA ANONG RESTRICTIONS
http_access allow walang_bawal
http_access allow neo business_hours

# HETO ANG BAWAL LANG EH HUBAD
http_access deny bad

http_access allow no_restrictions_but_no_porn

http_access allow calbayog pm_hours
# DITO CONTROLLED ANG FACEBOOK PERO MAY YOUTUBE LAGI
http_access allow facebk facebook_time
http_access deny facebk
http_access deny CONNECT SSL_ports facebk

# DITO ANG MGA DIRECTOR
http_access deny bawal
http_access deny CONNECT SSL_ports bawal
http_access allow mga_direktor
# 3D-CGI
http_access allow tca001
http_access allow tca002
http_access allow cgi002
http_access allow cgi003
http_access allow cgi004
http_access allow cgi006
http_access allow cgi009
http_access allow cgi019
http_access allow cgi007

# DITO MAY ORAS ANG YOUTUBE
http_access allow utube utube_time
http_access deny utube
http_access deny CONNECT SSL_ports utube

# DITO WALA TALAGANG YOUTUBE,FACEBOOK ETC. ETC.
http_access deny utube
http_access deny CONNECT SSL_ports utube
http_access allow dept_heads_pms

http_access allow redondo3d facebook_time
http_access allow mac-g5 facebook_time
http_access allow sicily facebook_time
http_access allow missouri business_hours
http_access allow iriga business_hours


# And finally deny all other access to this proxy
http_access allow localhost
http_access deny CONNECT SSL_ports
http_access deny all

logfile_rotate 0
ssl_unclean_shutdown on
allow_underscore on
shutdown_lifetime 30 seconds
visible_hostname TOONCITY_Technology_Department
cache_mgr technology@xxxxxxxxxxxxxxxxxxxxx
coredump_dir /var/spool/squid
always_direct allow FTP
ftp_sanitycheck off

Squid Box 2 - Connected to a 6Mbps lease line. Used by the powers
that be for internet browsing. Running on CentOS 5.8 with iptables
configured. IPtables preroute http requests to 3128. Hardware Intel P4
3.00Ghz 2GB RAM

#SQUID BOX 2 CONFIGURATION
http_port 3128 transparent
cache_mem 50 MB
cache_dir ufs /var/spool/squid 500 16 256
maximum_object_size 1 MB
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

cache_store_log is not very useful. Unless you are using the log for analysis you can set this to "cache_store_log none" and save yourself a lot of disk I/O.


ftp_passive on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
request_body_max_size 4 MB
dns_nameservers x.x.x.x x.x.x.x


#Recommended minimum configuration:
acl ftp proto FTP
acl all src 0.0.0.0/0.0.0.0

acl all src all

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 83          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
always_direct allow FTP

#Recommended minimum configuration:

#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports


# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#

#ACL'S

acl tabaco2 src 172.16.64.46
acl daraga src 172.16.64.61
acl finance src 172.16.64.62
acl hr04 src 172.16.64.68

#ACCESS LIST

http_access allow tabaco2
http_access allow daraga
http_access allow finance
http_access allow hr04

The above ACLs are all "src" type. You can compact this config down to:


 acl foo src 172.16.64.46 # tabaco2
 acl foo src 172.16.64.61 # draga
 acl foo src 172.16.64.62 # finance
 acl foo src 172.16.64.68 # hr04

 http_access allow foo


# And finally deny all other access to this proxy
http_access allow localhost
http_access deny CONNECT SSL_ports
http_access deny all

logfile_rotate 0
ssl_unclean_shutdown on
allow_underscore on
shutdown_lifetime 30 seconds
visible_hostname TOONCITY_Technology_Department
cache_mgr technology@xxxxxxxxxxxxxxxxxxxxx
coredump_dir /var/spool/squid
always_direct allow FTP
ftp_sanitycheck off

always_direct is only useful with cache_peer or accelerator configurations.
You can remove the "always_direct allow FTP" lines.


As you can see from the listed configs that both Squid boxes have
"almost" the same general configuration.

Squid Box 1 is performing fine with no hassle at all.

Squid Box 2 will perform normally for a few hours and starts to slow
down. I get "zero sized reply" from time to time.


Sounds familiar. Please upgrade, 2.6 has been obsolete for almost 5 years now, the current release of Squid is 3.2.1.


The users/hosts listed on Squid Box 2 used to connect thru Squid Box
1 with no problem at all. I transferred them to Squid Box 2 over the
weekend and I noticed the problem today.

After going thru the logs and testing several configuration on Squid
Box 2, there is still no improvement.

Could it be the hardware? No disk errors on both boxes.

Possibly, or DNS lag, or PMTU issues, or Buffer Bloat (I recommend looking it up if you are not already aware), or HTTP/1.1 features not supported by 2.6.

Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux