Re: [squid-users] Memory issues

From: Go Wow <gowows_at_gmail.com>
Date: Mon, 27 Jun 2011 13:02:59 +0400

Pls find below the link to excel file containing memory info from
squid cache manager.

https://www.yousendit.com/download/MFo3c0w5bTh0TW14dnc9PQ

Now my squid.conf looks like this, is this okay?

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 8
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic credentialsttl 4 hour
auth_param basic casesensitive off
auth_param basic children 7
auth_param basic realm DOMAIN
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl ad-auth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl allow_localnet dst 192.168.100.0/24 192.168.18.0/24
acl allow_localdomain dstdomain .domain.com
acl local_net_dst dst 192.168.127.0/24
acl local_net_src src 192.168.137.0/24
acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085
acl Unsafe_Ports port 1863
acl Unsafe_Ports port 5222
acl SSL_ports port 443
acl Safe_ports port 80 53 443 3268 88 5060 5061 5062 5075 5076 5077
50636 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000
# http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny Unsafe_Ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow allow_localnet
http_access allow allow_localdomain
http_access allow ad-auth
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_dir aufs /var/squid/cache 128 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
redirect_program /usr/local/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
redirect_children 15
icp_access deny all
htcp_access deny all
cache_mem 128 MB
access_log /var/log/squid/access.log squid
icp_port 3130
pipeline_prefetch off
cache_mgr mail_at_domain.com
cachemgr_passwd password all
#delay_pools 2
#delay_class 1 4
#delay_class 2 4
#delay_access 1 allow local_net_src
#delay_access 2 allow local_net_dst
#delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200
#delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1
#delay_initial_bucket_level 75
httpd_suppress_version_string on
forwarded_for off
hosts_file /etc/hosts
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 50 KB
memory_pools off
maximum_object_size 50 MB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

On 26 June 2011 16:19, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 26/06/11 21:24, Go Wow wrote:
>>
>> Hi,
>>
>>  I'm using squid 3.1.8 on centos 5.4 with 3.8GB RAM and Dual Core
>> Processor. My swap is been used and 50% of RAM is used by cache&
>> buffers. Below link has one week's memory&  CPU utilization
>> information in form of graph.
>>
>> Memory usage -->  http://img.myph.us/Cr8.jpg
>> CPU usage -->  http://img.myph.us/PgM.jpg
>>
>> I'm worried as to why the usage of swap is coming into picture,
>> logically if Swap is used then I need to increase the RAM but this
>> machine is serving only 12 users.
>>
>>  My squid.conf is here
>>
>> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s
>> GSS_C_NO_NAME
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 8
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic credentialsttl 4 hour
>> auth_param basic casesensitive off
>> auth_param basic children 7
>> auth_param basic realm DOMAINNAME
>> authenticate_cache_garbage_interval 10 seconds
>> authenticate_ttl 0 seconds
>> acl ad-auth proxy_auth REQUIRED
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>> acl allow_localnet dst 192.168.110.0/24 192.168.188.0/24
>> acl allow_localdomain dstdomain .domain.com
>> acl local_net_dst dst  192.168.117.0/24
>> acl local_net_src src  192.168.117.0/24
>> acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085
>> acl Unsafe_Ports port 1863
>> acl Unsafe_Ports port 5222
>> acl SSL_ports port 443
>> acl Safe_ports port 80 53 3268 88 5060 5061 5062 5075 5076 5077 50636
>> 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000  #
>> http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl CONNECT method CONNECT
>> http_access allow localhost allow_localnet allow_localdomain
>> http_access allow manager localhost
>> http_access allow ad-auth
>
>> http_access deny manager
>> http_access deny Unsafe_Ports !Safe_ports
>
> That wont work. Please see:
>  http://wiki.squid-cache.org/SquidFaq/SquidAcls#Common_Mistakes
>
>> http_access deny CONNECT !SSL_ports
>
> None of these security checks will have any effect. You have placed all
> of the allows above them to happen first.
>
>> http_access deny all
>> redirect_program /usr/local/bin/squidGuard -c
>> /usr/local/squidGuard/squidGuard.conf
>> redirect_children 15
>> icp_access deny all
>> htcp_access deny all
>> http_port 3128
>> cache_mem 128 MB
>> cache_dir aufs /var/squid/cache 128 16 256
>> hierarchy_stoplist cgi-bin ?
>> access_log /var/log/squid/access.log squid
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern (cgi-bin|\?)    0       0%      0
>
> Broken pattern. Use this instead:
>  -i (/cgi-bin/|\?)
>
>> refresh_pattern .               0       20%     4320
>> icp_port 3130
>> pipeline_prefetch off
>> #delay_pools 2
>> #delay_class 1 4
>> #delay_class 2 4
>> #delay_access 1 allow local_net_src
>> #delay_access 2 allow local_net_dst
>> #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200
>> #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1
>> #delay_initial_bucket_level 75
>> httpd_suppress_version_string on
>> forwarded_for off
>> hosts_file /etc/hosts
>> cache_replacement_policy heap LFUDA
>> cache_swap_low 90
>> cache_swap_high 95
>> maximum_object_size_in_memory 50 KB
>> memory_pools off
>> maximum_object_size 50 MB
>> quick_abort_min 0 KB
>> quick_abort_max 0 KB
>> log_icp_queries off
>> client_db off
>> buffered_logs on
>> half_closed_clients off
>>
>>
>> I had delay pools but I later disabled them as well.
>
> Are you sure it is Squid consuming that memory? Its possibly another
> application.
>  If you are sure it is Squid please upgrade to a later version. There were
> some memory overuse issues fixed between 3.1.8 and 3.1.11.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.9 and 3.1.12.3
>
Received on Mon Jun 27 2011 - 09:03:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT