On 19/06/14 18:57, Eliezer Croitoru wrote:
OK and what about the squid.conf?
I have not seen one until now and it seems to me kind of important...
I do know about systems that do not get 100% cpu and it's weird that
we have couple guys having the issue while others do not.
Thanks,
Eliezer
FYI, config attached.
The same config works without CPU spikes in 3.3.
Alex
deny_info TCP_RESET all_disallowed
deny_info TCP_RESET all_disallowed2
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=30 idle=20
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type nt_group ttl=20 children-startup=10 children-max=70 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl noauthnets src 192.168.20.0/24
acl noauthnets src 192.168.55.0/24
acl noauthnets src 172.17.10.0/24
acl noauthnets src 172.17.21.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl slowweb external nt_group "/etc/squid3/acls/slow_web"
acl zof proxy_auth MY_NET\bob MY_NET\alice
acl nointernet external nt_group "/etc/squid3/acls/nointernet"
acl important_groups external nt_group "/etc/squid3/acls/important"
acl facebook_allowed_groups external nt_group "/etc/squid3/acls/facebook_allowed"
acl youtube_allowed_groups external nt_group "/etc/squid3/acls/youtube_allowed"
acl hr external nt_group "/etc/squid3/acls/hr"
acl marketing external nt_group "/etc/squid3/acls/marketing"
acl fastweb external nt_group "/etc/squid3/acls/fast"
acl root proxy_auth root
acl noweb proxy_auth cnt
acl safebrowsing dstdomain .sb.google.com
acl gotomeeting dstdomain .gotomeeting.com
acl gotomeetingers proxy_auth abc
acl complete_block dstdomain swupmf.adobe.com
acl complete_block dstdomain .adtech.de
acl complete_block dstdomain .zorpia.com
acl youtube_urls dstdomain .youtube.com
acl youtube_regex url_regex -i youtube
acl facebook_urls dstdomain .facebook.com
acl wikipedia_urls dstdomain .wikipedia.org
acl social_media dstdomain .facebook.com
acl social_media dstdomain .twitter.com
acl apb proxy_auth MY_NET eve
acl apbtwitter dstdomain .twitter.com
acl nobump dstdomain .cipd.co.uk
acl nobump dstdomain .alphaterminal.com
acl nobump dstdomain .arbuthnot.co.uk
acl nobump dstdomain .rbs.com
acl nobump dstdomain .rbs.co.uk
acl nobump dstdomain .bacs.co.uk
acl nobump dstdomain 194.61.123.9
acl nobump dstdomain 195.35.124.172
acl nobump dstdomain .emx.co.uk
acl nobump dstdomain .mandg.co.uk
acl nobump dstdomain .insightinvestmentonline.com
acl nobump dstdomain .7city.co.uk
acl nobump dstdomain .7citylearning.com
acl nobump dstdomain ips.ihost.com
acl nobump dstdomain .lloydstsb.com
acl nobump dstdomain .lloydslink.co.uk
acl nobump dstdomain .lloydsbank.com
acl nobump dstdomain .barclays.com
acl nobump dstdomain .financial-clarity.com
acl nobump dstdomain ras.santander.co.uk
acl nobump dstdomain .retail.santander.co.uk
acl nobump dstdomain .kellystore.co.uk
acl nobump dstdomain .bpp.com
acl nobump dstdomain .prepaycardservices.com
acl nobump dstdomain .bcs.org
acl nobump dstdomain .threadneedle.co.uk
acl nobump dstdomain .britishairways.com
acl nobump dstdomain .limpsfieldtennis.co.uk
acl nobump dstdomain .barclays-partnerfinance.com
acl nobump dstdomain .ntrs.com
acl nobump dstdomain .northerntrust.com
acl nobump dstdomain .ciregistry.gov.ky
acl nobump dstdomain .netbuilder.com
acl nobump dstdomain .nyxdata.com
acl nobump dstdomain .thompsontaraz.co.uk
acl nobump dstdomain .calastone.com
acl nobump dstdomain .citysprint.co.uk
acl nobump dstdomain .if5.com
acl nobump dstdomain .oscr.org.uk
acl nobump dstdomain .webex.com
acl nobump dstdomain .mintprice.com
acl nobump dstdomain .robertdyas.co.uk
acl nobump dstdomain .securefile.victorbuckservices.com
acl nobump dstdomain .shlsolutions.com
acl nobump dstdomain .asic.gov.au
acl nobump dstdomain .pretdelivers.com
acl nobump_regex url_regex -i ^https://ips\.ihost\.com/hpp/checkout\.hpp
acl nobump dstdomain .i-l-m.com
acl nobump dstdomain .slc.co.uk
acl nobump dstdomain .jpmorgan.com
acl nobump dstdomain .nasdaqomxnordic.com
acl nobump dstdomain .ifdsgroup.co.uk
acl nobump dstdomain .privatepost.net
acl nobump dstdomain .myprivatepost.com
acl nobump dstdomain .oppassessment.eu.com
acl nobump dstdomain .gov.uk
acl nobump dstdomain .ics.bnymellon.com
acl nobump dstdomain .pass.sochi2014.com
acl nobump dstdomain .mobility.telus.com
acl nobump dstdomain .thetrainline.com
acl nobump dstdomain .book.statravel.co.uk
acl nobump dstdomain .bupa.co.uk
acl nobump dstdomain .gateway.gov.uk
acl nobump dstdomain .contactlenses.co.uk
acl nobump dstdomain .autoenrol.tpr.gov.uk
acl nobump dstdomain .eurostar.com
acl nobump dstdomain .secure.webtogs.co.uk
acl nobump dstdomain .irisixbrl.co.uk
acl nobump dstdomain .aston-csm.symplicity.com
acl nobump dstdomain .securemail.blackrock.com
acl nobump dstdomain .everycloud.eu
acl nobump dstdomain .evisa.gov.tr
acl nobump dstdomain .uk.finance.yahoo.com
acl nobump_regex url_regex -i ^https://ips\.ihost\.com/hpp/checkout\.hpp
acl nobump dstdomain .linkmarketservices.com
acl nobump dstdomain .linkmarketservices.com.au
acl nobump dstdomain .britishgas.co.uk
acl nobump dstdomain .solarwinds.adaptplc.com
acl nobump dstdomain .help.skyscanner.net
acl nobump dstdomain .zplatform.co.uk
acl nobump dstdomain .citymothers.co.uk
acl nobump dstdomain .objectmastery.net
acl nobump dstdomain .goliathreservations.com
acl nobump dstdomain .patronbase.com
acl fasturls dstdomain .calastone.co.uk
acl fasturls dstdomain .calastone.com
acl fasturls dstdomain .speedtest.net
acl fasturls dstdomain .netbuilder.com
acl fasturls dstdomain .nasdaqomxnordic.com
acl AuthorizedUsers proxy_auth REQUIRED
acl all_disallowed dstdomain "/etc/squid3/acls/all_disallowed"
acl all_disallowed2 url_regex -i "/etc/squid3/acls/all_disallowed2"
deny_info TCP_RESET all_disallowed
deny_info TCP_RESET all_disallowed2
acl dontusecache url_regex -i bcol.barclaycard.co.uk/.*\.do
acl exceptions_to_block url_regex -i twitter\.com/transact
acl exceptions_to_block url_regex -i accounts\.google\.com/.*youtube
acl skyproducts url_regex -i mysky.sky.com/portal/site/skycom/skyproducts
acl hr_only dstdomain .cityjobs.com
acl hr_only dstdomain .monster.co.uk
acl hr_only dstdomain .jobsearch.co.uk
acl slowurls dstdomain skysports.com
acl slowregex url_regex -i worldcup
acl slowregex url_regex -i world_cup
acl slowregex url_regex -i world-cup
acl slowregex url_regex -i football
acl streaming_media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl streaming_media rep_mime_type ^application/x-fcs
acl streaming_media rep_mime_type ^application/x-mms-framed
acl streaming_media rep_mime_type ^video/x-ms-asf
acl streaming_media rep_mime_type ^audio/mpeg
acl streaming_media rep_mime_type ^audio/x-scpls
acl streaming_media rep_mime_type ^video/x-flv
acl streaming_media rep_mime_type ^video/mpeg4
acl streaming_media2 req_mime_type ^application/x-fcs
acl workflow external nt_group "/etc/squid3/acls/workflow"
acl workflow_disallowed dstdomain .myspace.com
acl workflow_disallowed dstdomain .addictinggames.com
acl workflow_disallowed dstdomain .facebook.com
acl workflow_disallowed dstdomain .funny-games.biz
acl AOL-YAHOO-MESSENGER dstdomain login.oscar.aol.com
acl AOL-YAHOO-MESSENGER dstdomain pager.yahoo.com
acl AOL-YAHOO-MESSENGER dstdomain shttp.msg.yahoo.com
acl AOL-YAHOO-MESSENGER dstdomain update.messenger.yahoo.com
acl AOL-YAHOO-MESSENGER dstdomain update.pager.yahoo.com
acl IEOK2 dstdomain "/etc/squid3/acls/IEOK2"
acl test dstdomain .cheese.com
acl FILESOK2 src 192.168.20.226
acl FILESOK2 src 192.168.20.5
acl webex dstdomain .webex.com
acl webex dstdomain .webex.co.uk
acl FILEHOSTSOK dstdomain .ifdsgroup.co.uk
acl FILEHOSTSOK dstdomain .fastrade.co.uk
acl FILEHOSTSOK dstdomain .cimaglobal.com
acl FILEHOSTSOK dstdomain .wins.co.uk
acl FILEHOSTSOK dstdomain .companieshouse.gov.uk
acl FILEHOSTSOK dstdomain .homeoffice.gov.uk
acl FILEHOSTSOK dstdomain .berr.gov.uk
acl FILEHOSTSOK dstdomain .hmrc.gov.uk
acl FILEHOSTSOK dstdomain .treasury.gov.uk
acl FILEHOSTSOK dstdomain .hm-treasury.gov.uk
acl FILEHOSTSOK dstdomain .rbsm.com
acl FILEHOSTSOK dstdomain .rbs.com
acl FILEHOSTSOK dstdomain .rbs.co.uk
acl FILEHOSTSOK dstdomain .bacs.co.uk
acl FILEHOSTSOK dstdomain .edw.morningstar.com
acl FILEHOSTSOK dstdomain .webex.com
acl FILEHOSTSOK dstdomain .webex.co.uk
acl FILEHOSTSOK dstdomain .albertesharp.com
acl FILEHOSTSOK dstdomain .int-comp.org
acl FILEHOSTSOK dstdomain .gov.im
acl FILEHOSTSOK dstdomain .blackboard.com
acl FILEHOSTSOK dstdomain .winterflood.com
acl FILEHOSTSOK dstdomain .barcap.com
acl FILEHOSTSOK dstdomain .insinger.com
acl FILEHOSTSOK dstdomain .ons.gov.uk
acl FILEHOSTSOK dstdomain .meteoram.com
acl FILEHOSTSOK dstdomain .londonstockexchange.com
acl FILEHOSTSOK dstdomain .euroclear.com
acl FILEHOSTSOK dstdomain .fca.org.uk
acl FILEHOSTSOK dstdomain .charitycommissionni.org.uk
acl FILEHOSTSOK dstdomain .thetakeoverpanel.org.uk
acl FILEHOSTSOK dstdomain .startpointinvestments.co.uk
acl FILEHOSTSOK dstdomain .xperthr.co.uk
acl FILEHOSTSOK dstdomain .citrixonline.com
acl FILEHOSTSOK dstdomain .citrixonlinecdn.com
acl EBAY dstdomain .ebay.co.uk
acl EBAY dstdomain .ebay.com
acl COMPLIANCE_FILES dstdomain .fsa.gov.uk
acl COMPLIANCE_FILES dstdomain .hm-treasury.gov.uk
acl COMPLIANCE_FILES dstdomain .bankofengland.co.uk
acl COMPLIANCE_FILES dstdomain .tcfinfo.co.uk
acl COMPLIANCE_FILES dstdomain .treas.gov
acl COMPLIANCE_FILES dstdomain .malpas.co.uk
acl COMPLIANCE_FILES dstdomain .mof.gov.cy
acl COMPLIANCE_FILES dstdomain .mlros.com
acl COMPLIANCE_FILES dstdomain .statistics.gov.uk
acl COMPLIANCE_FILES dstdomain .actuaries.org.uk
acl COMPLIANCE_FILES dstdomain .fsahandbook.info
acl ie browser ^Mozilla/.*MSIE.*
acl msn_messenger req_mime_type -i ^application/x-msn-messenger$
acl ftp proto FTP
acl FTPDEST dstdomain ftp-direct.standardandpoors.com
acl FTPDEST dstdomain .financialexpress.net
acl FTPDEST dstdomain .corporatemailing.co.uk
acl FTPDEST dstdomain .lipper.reuters.com
acl FTPDEST dstdomain .companieshouse.gov.uk
acl BADFILES urlpath_regex -i "/etc/squid3/BLOCKEDFILES"
acl OFFICEFILES urlpath_regex -i "/etc/squid3/OFFICEFILES"
acl FILESOK proxy_auth MY_NET\bob MY_NET\eve MY_NET\joe
acl TEMPBLOCK proxy_auth tr2
acl WORKDAY time 07:30-13:00 14:00-17:30
acl webmail dstdomain .yahoo.com
acl webmail dstdomain .hotmail.com
acl webmail dstdomain .google.com
acl webmail dstdomain .google.co.uk
acl Java browser Java/1.3 Java/1.4 Java/1.5 Java/1.6 Java/1.7
delay_pools 3
delay_class 1 1
delay_access 1 allow fastweb
delay_access 1 allow noauthnets
delay_access 1 allow fasturls
delay_access 1 deny all
delay_parameters 1 60000000/80000000
delay_class 2 4
delay_access 2 deny IEOK2
delay_access 2 allow slowweb
delay_access 2 allow slowurls
delay_access 2 allow slowregex
delay_access 2 allow streaming_media2 !fastweb !important_groups
delay_access 2 deny all
delay_parameters 2 256000/512000 256000/256000 128000/128000 96000/128000
delay_class 3 4
delay_access 3 allow all
delay_parameters 3 8000000/8000000 2000000/5000000 256000/512000 256000/512000
http_access allow manager localhost
http_access allow noauthnets
http_access deny !AuthorizedUsers
http_access allow exceptions_to_block
http_access deny complete_block
http_access allow important_groups all_disallowed
http_access allow important_groups all_disallowed2
http_access allow zof all_disallowed
http_access allow zof all_disallowed2
http_access allow youtube_allowed_groups youtube_urls
http_access allow youtube_allowed_groups youtube_regex
http_access allow facebook_allowed_groups facebook_urls
http_access allow slowweb youtube_urls
http_access allow apb apbtwitter
http_access allow marketing social_media
http_access allow marketing youtube_urls
http_access allow marketing youtube_regex
http_access allow marketing wikipedia_urls
http_access deny all_disallowed
http_access deny all_disallowed2
http_access deny manager
http_access allow localhost
http_access allow all safebrowsing
http_access deny nointernet
http_access allow all root
http_access allow important_groups !Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny noweb
http_access allow ie gotomeetingers
http_access allow ie gotomeeting
http_access allow ie fastweb
http_access allow BADFILES fastweb
http_access deny TEMPBLOCK
http_access deny msn_messenger
http_access deny AOL-YAHOO-MESSENGER
http_access allow hr_only hr
http_access deny hr_only
http_access allow ie important_groups
http_access allow ie IEOK2
http_access allow OFFICEFILES COMPLIANCE_FILES
http_access allow BADFILES FILESOK
http_access allow BADFILES FILESOK2
http_access allow BADFILES FILEHOSTSOK
http_access allow BADFILES important_groups
http_access deny BADFILES
http_access allow ftp FTPDEST
http_access allow ftp important_groups
http_access deny ftp
http_access allow webex Java
http_access allow all AuthorizedUsers
cache deny dontusecache
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr foo@xxxxxxx
deny_info ERR_ACCESS_DENIED blockads
forwarded_for off
strip_query_terms off
coredump_dir /var/spool/squid3
always_direct allow SSL_ports
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_port 3128 sslBump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
sslproxy_cipher ALL:!COMPLEMENTOFDEFAULT
ssl_bump none nobump
ssl_bump none nobump_regex
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
hierarchy_stoplist cgi-bin ?
cache_mem 4096 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3 48000 128 128
maximum_object_size 32768 KB
debug_options ALL,1
ftp_user Squid@xxxxxxx
ftp_passive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 260000 90% 260009 override-expire
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$ 260000 90% 260009 override-expire
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 260000 90% 260009 override-expire
refresh_pattern -i doubleclick.net/.* 260000 90% 260009
refresh_pattern -i adserverplus.com/.* 260000 90% 260009
refresh_pattern -i yieldmanager.net/.* 260000 90% 260009
refresh_pattern -i yieldmanager.com/.* 260000 90% 260009
refresh_pattern -i \.index.(html|htm)$ 1440 90% 40320
refresh_pattern -i \.(html|htm|css|js)$ 1440 90% 40320
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
read_ahead_gap 64 KB
tcp_recv_bufsize 256000 bytes
dns_defnames on