On 6/03/24 07:23, M, Anitha (CSS) wrote:
Hi team,
We are using squid service deployed as a KVM VM on SLES 15 Sp5 os image.
We are using squid. Rpm: *squid-5.7-150400.3.20.1.x86_64*
**
We are seeing too many 503 errors with this version of squid.
This is the squid configuration file. Pls review it and let us know if
issues.
It appears that your configuration file consists of at least 2 different
configuration files appended to each other.
Please start by running "squid -k parse" and fixing all the warnings it
should produce.
We are performing squid scale testing, where every secs there will be
200+requests reaching the squid and squid is spitting out 500/503 errors.
FYI: you have restricted Squid to no more than 3200 filedescriptors.
That is rather low. I recommend at least 64K.
Squid.conf:
gl-pcesreblr-squidproxy03:/var/log/squid # cat /etc/squid/squid.conf
# Recommended minimum configuration:
acl localnet src 172.28.1.0/24
acl localnet src 172.28.4.0/24
acl localnet src 172.28.0.0/24
acl localnet src 172.28.0.12/32
connect_timeout 120 seconds
connect_retries 10
#debug_options ALL,5
#connect_retries_delay 5 seconds
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.28.11.0/24
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
#acl localnet src 192.168.0.0/16 # RFC 1918 local private
network (LAN)
#acl localnet src fc00::/7 # RFC 4193 local private network
range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl blocksites url_regex "/etc/squid/blocksites"
http_access deny blocksites
debug_options ALL,7
acl SSL_ports port 443
acl SSL_ports port 8071
acl SSL_ports port 11052
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 53 # pdns
acl Safe_ports port 5300 # pdns
acl Safe_ports port 123 #NTP
acl Safe_ports port 8071
acl Safe_ports port 11052 # pdns web server
acl Safe_ports port 514 # rsyslog
acl CONNECT method CONNECT
acl SSL_ports port 8053
acl Safe_ports port 8053
acl SSL_ports port 3002
acl Safe_ports port 3002
acl SSL_ports port 3006
acl Safe_ports port 3006
acl SSL_ports port 8203
acl Safe_ports port 8203
acl SSL_ports port 8204
acl Safe_ports port 8204
acl SSL_ports port 8071
acl Safe_ports port 8071
acl Safe_ports port 8200
acl SSL_ports port 8099
acl Safe_ports port 8099
tcp_outgoing_address 20.20.30.5
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
Please notice what the above line says.
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
#http_access allow all
cache_peer proxy-in.its.hpecorp.net parent 443 0 no-query no-delay default
... so a server listening for plain-text HTTP on port 443. That is a bit
broken. At least consider enabling TLS/SSL on connections to this peer
so Squid can send it HTTPS traffic.
#cache_peer 16.242.46.11 parent 8080 0 no-query default
#cache_peer 10.132.100.29 parent 3128 0 no-query default
acl parent_proxy src all
http_access allow parent_proxy
The above two lines are identical to:
http_access allow all
... no http_access lines following this one will ever have any effects.
never_direct allow parent_proxy
Likewise same as:
never_direct allow all
... however you have always_direct rules later that override this.
# Squid normally listens to port 3128
http_port 3128
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 172.28.0.121 16.110.135.52
max_filedescriptors 3200
cache_dir ufs /var/cache/squid 8192 16 256
cache_mem 2096 MB
cache_swap_high 95
cache_swap_low 90
ftp_passive on
maximum_object_size 4096 MB
memory_replacement_policy lru
minimum_object_size 0 KB
At this point your file just starts repeating rules, with different
settings. Some of these replace the above settings, some append to the,
and some have no effect due to earlier rules.
# Recommended minimum configuration:
acl localnet src 172.28.4.0/24
acl localnet src 172.28.0.0/24
acl localnet src 172.28.1.0/24 # OOBM Network outbound access
#acl HOGAN dst hogan.nimblestorage.com
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 “this” network (LAN)
acl blocksites url_regex “/etc/squid/blocksites”
http_access deny blocksites
acl SSL_ports port 443
acl SSL_ports port 8071
acl SSL_ports port 11052
acl SSL_ports port 8200
acl SSL_ports port 8282
acl Safe_ports port 8282
#acl HOGAN_port port 2222 # hogan.nimblestorage.com:2222 SSH support tunnel
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
acl localnet src 172.16.117.0/24
http_access allow localnet
http_access allow localhost
#http_access allow HOGAN HOGAN_port
acl localnet src 20.20.30.0/21
acl parent_proxy_exclude dst 20.20.30.0/21
acl parent_proxy_exclude_ST0100 dst 20.20.30.222/22
always_direct allow parent_proxy_exclude_ST0100
acl servicenet dst 172.28.4.0/24
always_direct allow parent_proxy_exclude
always_direct allow servicenet
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users