Using squid 4.0.24 on openwrt, I see it grabbing significant amount of additional RAM after short period of activity, although I tried to downsize squid as much as possible. Any suggestion for further significant reduction of mem requirements after startup, or why is there such a growth (> 10MB) after short period of time ? Initial mem requirements OK, but then the huge increase in size afterwards it not appreciated. (Don't need caching at all. Compiled without IPv6) First the (anon) squid.conf: acl localnet src 192.168.182.0/24 acl ssl_ports port 443 acl safe_ports port 80 acl safe_ports port 443 acl safe_ports port 3128 acl connect method connect http_access deny !safe_ports http_access deny connect !ssl_ports acl acl1 url_regex -i .*/string1$ acl acl2 url_regex -i .*/string2$ acl acl3 url_regex -i .*/string3$ external_acl_type check_test ttl=0 cache=0 %SRC /etc/squid/check_test.sh external_acl_type check_test_2 ttl=30 negative_ttl=3 cache=32 %SRC /etc/squid/check_test_2.sh acl check_2 check_test_2 acl check external check_test http_access deny acl1 check http_access deny acl2 check http_access deny acl3 check http_access allow localnet http_access allow localhost http_access deny all cache deny all access_log none cache_log /var/log/squid/cache.log cache_store_log stdio:/dev/null logfile_rotate 0 logfile_daemon /dev/null http_port 3128 http_port 8888 intercept https_port 4443 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=off dynamic_cert_mem_cache_size=1MB sslflags=NO_DEFAULT_CA acl step1 at_step SslBump1 ssl_bump peek step1 all acl sni_block ssl::server_name .a.com acl sni_block ssl::server_name .b.com acl sni_block ssl::server_name .c.com ssl_bump terminate !check_2 sni_block check ssl_bump splice all cache_mem 0 MB shutdown_lifetime 10 seconds httpd_suppress_version_string on dns_v4_first on forwarded_for delete via off reply_header_access Cache deny all client_idle_pconn_timeout 1 minute server_idle_pconn_timeout 5 minute memory_pools off ipcache_size 128 fqdncache_size 128 reply_header_access Alternate-Protocol deny all reply_header_access alternate-protocol deny all reply_header_access alt-svc deny all pinger_enable off digest_generation off netdb_filename none dns_nameservers 127.0.0.1 reply_body_max_size 4 MB Now mem requirements for kid-1, shortly after boot: cat /proc/1447/status Name: squid Umask: 0027 State: S (sleeping) Tgid: 1447 Ngid: 0 Pid: 1447 PPid: 1444 TracerPid: 0 Uid: 0 65534 0 65534 Gid: 65534 65534 65534 65534 FDSize: 32 Groups: 65534 VmPeak: 15836 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< VmSize: 15836 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 11324 kB VmRSS: 11324 kB RssAnon: 4596 kB RssFile: 6660 kB RssShmem: 68 kB VmData: 5708 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< VmStk: 132 kB VmExe: 3744 kB VmLib: 4196 kB VmPTE: 28 kB VmPMD: 0 kB VmSwap: 0 kB Threads: 1 SigQ: 0/977 SigPnd: 00000000000000000000000000000000 ShdPnd: 00000000000000000000000000000000 SigBlk: 00000000000000000000000000000000 SigIgn: 00000000000000000000000000001004 SigCgt: 0000000000000000000000000203c603 CapInh: 0000000000000000 CapPrm: 0000003fffffffff CapEff: 0000000000000400 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Speculation_Store_Bypass: unknown Cpus_allowed: 1 Cpus_allowed_list: 0 voluntary_ctxt_switches: 275 nonvoluntary_ctxt_switches: 100 #1h later, after some usage: cat /proc/1447/status Name: squid Umask: 0027 State: S (sleeping) Tgid: 1447 Ngid: 0 Pid: 1447 PPid: 1444 TracerPid: 0 Uid: 0 65534 0 65534 Gid: 65534 65534 65534 65534 FDSize: 512 Groups: 65534 VmPeak: 28844 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< VmSize: 28844 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 23064 kB VmRSS: 23064 kB RssAnon: 15856 kB RssFile: 7140 kB RssShmem: 68 kB VmData: 18716 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< VmStk: 132 kB VmExe: 3744 kB VmLib: 4196 kB VmPTE: 40 kB VmPMD: 0 kB VmSwap: 0 kB Threads: 1 SigQ: 0/977 SigPnd: 00000000000000000000000000000000 ShdPnd: 00000000000000000000000000000000 SigBlk: 00000000000000000000000000000000 SigIgn: 00000000000000000000000000001004 SigCgt: 0000000000000000000000000203c603 CapInh: 0000000000000000 CapPrm: 0000003fffffffff CapEff: 0000000000000400 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Speculation_Store_Bypass: unknown Cpus_allowed: 1 Cpus_allowed_list: 0 voluntary_ctxt_switches: 16501 nonvoluntary_ctxt_switches: 9636 I get quite a lot of messages in cache.log: 2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object 2018/10/09 12:38:49 kid1| ALE missing URL 2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object 2018/10/09 12:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=212.95.165.32:443 remote=192.168.182.3:51304 FD 36 flags=33 (local IP does not match any domain IP) 2018/10/09 12:40:18 kid1| SECURITY ALERT: on URL: b.scorecardresearch.com:443 2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on local=104.193.83.156:443 remote=192.168.182.3:51400 FD 183 flags=33 (local IP does not match any domain IP) 2018/10/09 12:40:28 kid1| SECURITY ALERT: on URL: csm2waycm-atl.netmng.com:443 2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on local=104.193.83.156:443 remote=192.168.182.3:51402 FD 226 flags=33 (local IP does not match any domain IP) My guess is, that the "header forgery" might be caused be inconsistency between browsers DNS-cache, my clients DNS-cache (Win 7) and the DNS-cache on the device, running squid. As practically all these "header forgeries" are for ad-networks, I consider it only an annoyance.Or is it _not_ ? -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
