Search squid archive

Re: Documentation for squidclient?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

W dniu 18.05.2017 o 14:48, erdosain9 pisze:
Hi.
Where i can find documentation for the opcion on squidclient, many of them
are self-explanatory but for example this:

[root@squid ~]# squidclient mgr:external_acl
HTTP/1.1 200 OK
Server: squid/3.5.20
Mime-Version: 1.0
Date: Thu, 18 May 2017 12:40:54 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 18 May 2017 12:40:54 GMT
Last-Modified: Thu, 18 May 2017 12:40:54 GMT
X-Cache: MISS from squid.xxxxxxx.lan
X-Cache-Lookup: MISS from squid.xxxxxxx.lan:3128
Connection: close

External ACL Statistics: i-full
Cache size: 13
program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
number active: 5 of 5 (0 shutting down)
requests sent: 48
replies received: 48
queue length: 0
avg service time: 11 msec

   ID #	     FD	    PID	 # Requests	  # Replies	Flags	   Time	 Offset
Request
      6	     23	   2134	         48	         48	    	  0.011	      0	(none)
      7	     25	   2135	          0	          0	    	  0.000	      0	(none)
      8	     27	   2136	          0	          0	    	  0.000	      0	(none)
      9	     29	   2137	          0	          0	    	  0.000	      0	(none)
     10	     31	   2138	          0	          0	    	  0.000	      0	(none)

Flags key:

   B = BUSY
   W = WRITING
   C = CLOSING
   S = SHUTDOWN PENDING

External ACL Statistics: i-limitado
Cache size: 29
program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
number active: 5 of 5 (0 shutting down)
requests sent: 110
replies received: 110
queue length: 0
avg service time: 101 msec

   ID #	     FD	    PID	 # Requests	  # Replies	Flags	   Time	 Offset
Request
     11	     33	   2139	        110	        110	    	  0.014	      0	(none)
     12	     35	   2140	          0	          0	    	  0.000	      0	(none)
     13	     37	   2141	          0	          0	    	  0.000	      0	(none)
     14	     39	   2142	          0	          0	    	  0.000	      0	(none)
     15	     41	   2143	          0	          0	    	  0.000	      0	(none)

Flags key:

   B = BUSY
   W = WRITING
   C = CLOSING
   S = SHUTDOWN PENDING

External ACL Statistics: i-sinlimite
Cache size: 51
program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
number active: 5 of 5 (0 shutting down)
requests sent: 195
replies received: 195
queue length: 0
avg service time: -1441 msec

   ID #	     FD	    PID	 # Requests	  # Replies	Flags	   Time	 Offset
Request
     16	     43	   2144	        191	        191	    	  0.050	      0	(none)
     17	     45	   2145	          1	          1	    	  0.175	      0	(none)
     18	     47	   2146	          1	          1	    	  0.185	      0	(none)
     19	     49	   2147	          1	          1	    	  0.130	      0	(none)
     20	     51	   2148	          1	          1	    	  0.229	      0	(none)

Flags key:

   B = BUSY
   W = WRITING
   C = CLOSING
   S = SHUTDOWN PENDING

I know that i dont have any user in External ACL Statistics: i-sinlimite...
then why those statistics (with request and replies and 5 of 5).

Thanks to all




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

As far as I remember, you have some ldap group-based ACLs in your config. If any user is trying to access site listed in that kind of ACL, this helper is checking is user is in AD group that allows or disallows this action.

You may not have any user in i-sinlimite, but you DO HAVE this ACL, so squid will always  check that group and find out that the result is negative. If you have no users in this group and not going to have in near future, analyze your ACL logic and remove this rule from configuration - this will make squid faster for sure.

Your config is:

===begin conf sample===

http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion
http_access allow i-limitado #!dominios_denegados
http_access allow i-full #!dominios_denegados

# And finally deny all other access to this proxy
http_access deny all

===end===
You have no user in this group, yet since it is the first rule, EVERY user has to be checked is he/she in i-sinlimite@xxxxxxxxxxx group. What for, if group is not used? And it is not used in delay_class either. 
When squid knows that user is not allowed by i-sinlimite, next rule (sin_autenticacion) is launched, but this is different, list-based ACL, don't now what is on the list - my guess is that's the list of sites that does not require an authentication. If so, it makes no sense - that kind of rule should be above any ACL that requires authentication. 
So, most users will access most sites by rule i-limitado, but before, any user has to be checked by i-sinlimite. Makes no sense, really.
Second thing is that most of these ACLs are doing nothing, since your allow everything (!negation is disabled by # sign). Save some RAM consumed by helpers and reorganize your config.

Stats for i-sinlimite look good, although avg service time: -1441 msec is wrong (don't know why). Since that rule affects every user, delay caused by this hepler is added to every user's connection. As long as requests sent = recieved, there is no disaster anyway - users can browse The internet. Once more, remove that ACL and disable hepler.

IMHO you should build a test squid and do some practical learning how things work.

PS. Post your squid.conf every time; I rememer it from different thread, someone else may not.

-- 
Greets, Dijx

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux