Re: [squid-users] Squid Cache - hangs after a few minutes

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 13 Feb 2011 10:05:41 +1300

On 12/02/11 10:47, justin hyland wrote:
> Im trying to get multiple squid servers to act as front-end web
> servers for my main central apache web server, here is my setup so
> far...

So far you have an unrestricted "open proxy". Not good. See below for fixes.

>
> I have changed the IP of the apache server that this sends traffic to,
> to 123.123.123.123, fyi
> Code:
>
> # egrep -v "^#" squid.conf | sed -e '/^$/d'
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8

Add:
   acl to_localhost dst 0.0.0.0/32

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT

NP: Missing reverse proxy ACL and http_access rules indicating what
websites you are hosting.

http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

Note the http_access rules and the extra-special mention that the
reverse-proxy stuff needs to be first in the config file before any of
these forward-proxy restrictions. Order is important.

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all

After placing the right accelerator http_access rules up above, this
"allow all" can be set back to the safe "deny all".

> icp_access allow all
> http_port 80 accel defaultsite=123.123.123.123 vhost
> cache_peer 123.123.123.123 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow all
> hierarchy_stoplist cgi-bin ?

Drop this hierarchy_stoplist for reverse proxies.

> cache_dir ufs /var/spool/squid 2000 16 256
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

If you have 2.7 this QUERY stuff can be dropped.

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Add right here:
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> always_direct allow all

"always_direct allow all" overrides the one piece of security preventing
your Squid from being an open-proxy. Set the http_access correctly and
remove this or set it back to "always_direct deny all".

> coredump_dir /var/spool/squid
>
> This works wonders.. for about 4 minutes. then the requests go from
> half a second per a page load, to 5 to 10, then 30 or 40 seconds..,
> then it wont even process, the tail -f access_logs shows that its not
> even hitting apache any longer on the central server, so its like
> squid freezes up, any idea???

One of the main purposes of a reverse-proxy is to reduce load in the
backend, serving pages from the proxy cache instead. When this is
working the central Apache will not see many hits. Somewhere between 80%
and 100% of all traffic will "disappear" from the Apache log.

Look to the Squid access.log for a full record of actual visitors and
service times.

>
> I have turned off the firewall on the squid server as well as the
> central apache server, and still doesn't help much. I read through
> http://squidproxy.wordpress.com/2007...s-are-hanging/ and did all of
> it, with no avail.
>
> P.S. I doubt this is a connection issue between the servers, as the
> website WITH squid loads just as fast as apache for a few minutes,
> then slowly goes to a hault

With Squid-2 you will need to add this to your configuration file:
   never_direct 0 seconds

If the problem persists after all the above changes are made then
debugging why will start to be useful.

   Luis mentioned the -X -N command line options that will produce a
full debug output to the terminal/screen stdout.
  Alternatively just -X will leave that same trace in Squids cache.log
for later analysis. Just watch the available disk space when doing this way.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.4
Received on Sat Feb 12 2011 - 21:05:50 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 13 2011 - 12:00:02 MST