Re: Slow Squid 2.6 Server

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 25.09.2012 00:25, Art Bermas wrote:
> Hello Everyone,
>
> I've been experiencing a slow proxy on my second Squid box even
> though its general configuration is the same as my first Squid box,
> except of course for the IP. See below for details:
>
> Squid Box 1 - Connected to a 3Mbps DSL. Used by majority of users for
> internet browsing. Running on CentOS 5.8 with iptables configured.
> IPtables preroute http requests to 3128. Hardware Intel C2Duo 1.86Ghz
> 8GB RAM
>
> #SQUID BOX 1 CONFIGURATION
> http_port 3128 transparent
> cache_mem 50 MB
> cache_dir ufs /var/spool/squid 500 16 256
> maximum_object_size 1 MB
> access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> ftp_passive on
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> request_body_max_size 4 MB
> dns_nameservers x.x.x.x x.x.x.x
>
>
> #Recommended minimum configuration:
> acl ftp proto FTP
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 83          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> always_direct allow FTP
>
> #Recommended minimum configuration:
>
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
>
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> #
>
> acl walang_bawal src "/etc/squid/no_restrictions"
> acl no_restrictions_but_no_porn src 
> "/etc/squid/no_restrictions_but_no_porn"
> acl mga_direktor src "/etc/squid/directors"
> acl dept_heads_pms src "/etc/squid/dept_heads_pms"
>
> acl neo src 172.16.64.50 # neo
> #
> #3D CGI
> acl cgi002 src 172.16.64.177 # Mark
> acl cgi003 src 172.16.64.93 # Czy
> acl cgi004 src 172.16.64.92 # Amabel
> acl cgi006 src 172.16.64.91 # Archie
> acl cgi009 src 172.16.64.94 # Idol
> acl tca001 src 172.16.64.96 # Allan
> acl tca002 src 172.16.64.184 # Anthony
> acl cgi019 src 172.16.64.214 # Animator
> acl cgi007 src 172.16.64.179 # CGI
>
> acl redondo3d src 172.16.64.207 #Mac Avid1 Chrysler
> acl mac-g5 src 172.16.64.206 #Avid 2
> acl sicily src 172.16.64.199 #retakes dept Jeff Gongon
> acl missouri src 172.16.65.248 #Mitch
> acl iriga src 172.16.65.188 #Mitch
> acl calbayog src 172.16.65.171 #Reception
>
> # ANG AMING PATAKARAN
> acl business_hours time M T W H F A S 9:00-19:00
> acl business_hours_MF time M T W H F 10:00-19:00
> acl am_hours time M T W H F 00:00-05:00
> acl pm_hours time M T W H F 15:00-17:00
> acl facebook_time time M T W H F A S 12:00-14:00
> acl utube_time time M T W H F A S 12:00-14:00
> acl bad url_regex -i "/etc/squid/restrict-url.acl"
> acl facebk dstdomain .facebook.com
> acl utube dstdomain .youtube.com
> acl bawal dstdom_regex "/etc/squid/bawal.list"
> #acl goodsites dstdomain "/etc/squid/goodsites.acl"
>
> #### THE ACCESS #####
> #
> #
> # WALA ITONG KAHIT NA ANONG RESTRICTIONS
> http_access allow walang_bawal
> http_access allow neo business_hours
>
> # HETO ANG BAWAL LANG EH HUBAD
> http_access deny bad
>
> http_access allow no_restrictions_but_no_porn
>
> http_access allow calbayog pm_hours
> # DITO CONTROLLED ANG FACEBOOK PERO MAY YOUTUBE LAGI
> http_access allow facebk facebook_time
> http_access deny facebk
> http_access deny CONNECT SSL_ports facebk
>
> # DITO ANG MGA DIRECTOR
> http_access deny bawal
> http_access deny CONNECT SSL_ports bawal
> http_access allow mga_direktor
> # 3D-CGI
> http_access allow tca001
> http_access allow tca002
> http_access allow cgi002
> http_access allow cgi003
> http_access allow cgi004
> http_access allow cgi006
> http_access allow cgi009
> http_access allow cgi019
> http_access allow cgi007
>
> # DITO MAY ORAS ANG YOUTUBE
> http_access allow utube utube_time
> http_access deny utube
> http_access deny CONNECT SSL_ports utube
>
> # DITO WALA TALAGANG YOUTUBE,FACEBOOK ETC. ETC.
> http_access deny utube
> http_access deny CONNECT SSL_ports utube
> http_access allow dept_heads_pms
>
> http_access allow redondo3d facebook_time
> http_access allow mac-g5 facebook_time
> http_access allow sicily facebook_time
> http_access allow missouri business_hours
> http_access allow iriga business_hours
>
>
> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny CONNECT SSL_ports
> http_access deny all
>
> logfile_rotate 0
> ssl_unclean_shutdown on
> allow_underscore on
> shutdown_lifetime 30 seconds
> visible_hostname TOONCITY_Technology_Department
> cache_mgr technology@xxxxxxxxxxxxxxxxxxxxx
> coredump_dir /var/spool/squid
> always_direct allow FTP
> ftp_sanitycheck off
>
> Squid Box 2 - Connected to a 6Mbps lease line. Used by the powers
> that be for internet browsing. Running on CentOS 5.8 with iptables
> configured. IPtables preroute http requests to 3128. Hardware Intel 
> P4
> 3.00Ghz 2GB RAM
>
> #SQUID BOX 2 CONFIGURATION
> http_port 3128 transparent
> cache_mem 50 MB
> cache_dir ufs /var/spool/squid 500 16 256
> maximum_object_size 1 MB
> access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log

cache_store_log is not very useful. Unless you are using the log for 
analysis you can set this to "cache_store_log none" and save yourself a 
lot of disk I/O.


> ftp_passive on
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> request_body_max_size 4 MB
> dns_nameservers x.x.x.x x.x.x.x
>
>
> #Recommended minimum configuration:
> acl ftp proto FTP
> acl all src 0.0.0.0/0.0.0.0

acl all src all

> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 83          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> always_direct allow FTP
>
> #Recommended minimum configuration:
>
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
>
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> #
>
> #ACL'S
>
> acl tabaco2 src 172.16.64.46
> acl daraga src 172.16.64.61
> acl finance src 172.16.64.62
> acl hr04 src 172.16.64.68
>
> #ACCESS LIST
>
> http_access allow tabaco2
> http_access allow daraga
> http_access allow finance
> http_access allow hr04

The above ACLs are all "src" type. You can compact this config down to:


 acl foo src 172.16.64.46 # tabaco2
 acl foo src 172.16.64.61 # draga
 acl foo src 172.16.64.62 # finance
 acl foo src 172.16.64.68 # hr04

 http_access allow foo

> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny CONNECT SSL_ports
> http_access deny all
>
> logfile_rotate 0
> ssl_unclean_shutdown on
> allow_underscore on
> shutdown_lifetime 30 seconds
> visible_hostname TOONCITY_Technology_Department
> cache_mgr technology@xxxxxxxxxxxxxxxxxxxxx
> coredump_dir /var/spool/squid
> always_direct allow FTP
> ftp_sanitycheck off

always_direct is only useful with cache_peer or accelerator 
configurations.
You can remove the "always_direct allow FTP" lines.

> As you can see from the listed configs that both Squid boxes have
> "almost" the same general configuration.
>
> Squid Box 1 is performing fine with no hassle at all.
>
> Squid Box 2 will perform normally for a few hours and starts to slow
> down. I get "zero sized reply" from time to time.


Sounds familiar. Please upgrade, 2.6 has been obsolete for almost 5 
years now, the current release of Squid is 3.2.1.

> The users/hosts listed on Squid Box 2 used to connect thru Squid Box
> 1 with no problem at all. I transferred them to Squid Box 2 over the
> weekend and I noticed the problem today.
>
> After going thru the logs and testing several configuration on Squid
> Box 2, there is still no improvement.
>
> Could it be the hardware? No disk errors on both boxes.

Possibly, or DNS lag, or PMTU issues, or Buffer Bloat (I recommend 
looking it up if you are not already aware), or HTTP/1.1 features not 
supported by 2.6.

Amos