Re: Squid Proxy timing out 500/503 errors

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 6/03/24 07:23, M, Anitha (CSS) wrote:
> Hi team,
>
> We are using squid service deployed as a KVM VM on SLES 15 Sp5 os image.
>
> We are using squid. Rpm: *squid-5.7-150400.3.20.1.x86_64*
>
> **
>
> We are seeing too many 503 errors with this version of squid.
>
> This is the squid configuration file. Pls review it and let us know if 
> issues.

It appears that your configuration file consists of at least 2 different 
configuration files appended to each other.

Please start by running "squid -k parse" and fixing all the warnings it 
should produce.


> We are performing squid scale testing, where every secs there will be 
> 200+requests reaching the squid and squid is spitting out 500/503 errors.

FYI: you have restricted Squid to no more than 3200 filedescriptors. 
That is rather low. I recommend at least 64K.


> Squid.conf:
>
> gl-pcesreblr-squidproxy03:/var/log/squid # cat /etc/squid/squid.conf
> # Recommended minimum configuration:
> acl localnet src 172.28.1.0/24
> acl localnet src 172.28.4.0/24
> acl localnet src 172.28.0.0/24
> acl localnet src 172.28.0.12/32
> connect_timeout 120 seconds
> connect_retries 10
> #debug_options ALL,5
> #connect_retries_delay 5 seconds
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local private network 
> (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space 
> (CGN)
> acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly 
> plugged) machines
> acl localnet src 172.28.11.0/24
> #acl localnet src 172.16.0.0/12         # RFC 1918 local private network 
> (LAN)
> #acl localnet src 192.168.0.0/16                # RFC 1918 local private 
> network (LAN)
> #acl localnet src fc00::/7              # RFC 4193 local private network 
> range
> #acl localnet src fe80::/10             # RFC 4291 link-local (directly 
> plugged) machines
>
> acl blocksites url_regex "/etc/squid/blocksites"
> http_access deny blocksites
>
> debug_options ALL,7
>
> acl SSL_ports port 443
> acl SSL_ports port 8071
> acl SSL_ports port 11052
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 53          # pdns
> acl Safe_ports port 5300        # pdns
> acl Safe_ports port 123     #NTP
> acl Safe_ports port 8071
> acl Safe_ports port 11052       # pdns web server
> acl Safe_ports port 514         # rsyslog
> acl CONNECT method CONNECT
> acl SSL_ports port 8053
> acl Safe_ports port 8053
> acl SSL_ports port 3002
> acl Safe_ports port 3002
> acl SSL_ports port 3006
> acl Safe_ports port 3006
> acl SSL_ports port 8203
> acl Safe_ports port 8203
> acl SSL_ports port 8204
> acl Safe_ports port 8204
> acl SSL_ports port 8071
> acl Safe_ports port 8071
> acl Safe_ports port 8200
> acl SSL_ports port 8099
> acl Safe_ports port 8099
> tcp_outgoing_address 20.20.30.5
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #

Please notice what the above line says.

> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> #http_access deny all
> #http_access allow all
>
> cache_peer proxy-in.its.hpecorp.net parent 443 0 no-query no-delay default

... so a server listening for plain-text HTTP on port 443. That is a bit 
broken. At least consider enabling TLS/SSL on connections to this peer 
so Squid can send it HTTPS traffic.


> #cache_peer 16.242.46.11 parent 8080 0 no-query default
> #cache_peer 10.132.100.29 parent 3128 0 no-query default
>
> acl parent_proxy src all
> http_access allow parent_proxy

The above two lines are identical to:
  http_access allow all

... no http_access lines following this one will ever have any effects.

> never_direct allow parent_proxy

Likewise same as:
  never_direct allow all

... however you have always_direct rules later that override this.

> # Squid normally listens to port 3128
> http_port 3128
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> dns_nameservers 172.28.0.121 16.110.135.52
>
> max_filedescriptors 3200
> cache_dir ufs /var/cache/squid 8192 16 256
> cache_mem 2096 MB
> cache_swap_high 95
> cache_swap_low 90
> ftp_passive on
> maximum_object_size 4096 MB
> memory_replacement_policy lru
> minimum_object_size 0 KB

At this point your file just starts repeating rules, with different 
settings. Some of these replace the above settings, some append to the, 
and some have no effect due to earlier rules.


> # Recommended minimum configuration:
> acl localnet src 172.28.4.0/24
> acl localnet src 172.28.0.0/24
> acl localnet src 172.28.1.0/24 # OOBM Network outbound access
> #acl HOGAN dst hogan.nimblestorage.com
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 “this” network (LAN)
> acl blocksites url_regex “/etc/squid/blocksites”
> http_access deny blocksites
> acl SSL_ports port 443
> acl SSL_ports port 8071
> acl SSL_ports port 11052
> acl SSL_ports port 8200
> acl SSL_ports port 8282
> acl Safe_ports port 8282
> #acl HOGAN_port port 2222 # hogan.nimblestorage.com:2222 SSH support tunnel
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> acl localnet src 172.16.117.0/24
> http_access allow localnet
> http_access allow localhost
> #http_access allow HOGAN HOGAN_port
> acl localnet src 20.20.30.0/21
> acl parent_proxy_exclude dst 20.20.30.0/21
> acl parent_proxy_exclude_ST0100 dst 20.20.30.222/22
> always_direct allow parent_proxy_exclude_ST0100
> acl servicenet dst 172.28.4.0/24
> always_direct allow parent_proxy_exclude
> always_direct allow servicenet


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users