Re: [squid-users] Memory issues

From: Go Wow <gowows_at_gmail.com>
Date: Tue, 28 Jun 2011 09:10:53 +0400

Any info for me regarding my last post?

On 27 June 2011 13:02, Go Wow <gowows_at_gmail.com> wrote:
> Pls find below the link to excel file containing memory info from
> squid cache manager.
>
> https://www.yousendit.com/download/MFo3c0w5bTh0TW14dnc9PQ
>
> Now my squid.conf looks like this, is this okay?
>
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 8
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic credentialsttl 4 hour
> auth_param basic casesensitive off
> auth_param basic children 7
> auth_param basic realm DOMAIN
> authenticate_cache_garbage_interval 10 seconds
> authenticate_ttl 0 seconds
> acl ad-auth proxy_auth REQUIRED
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl allow_localnet dst 192.168.100.0/24 192.168.18.0/24
> acl allow_localdomain dstdomain .domain.com
> acl local_net_dst dst  192.168.127.0/24
> acl local_net_src src  192.168.137.0/24
> acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085
> acl Unsafe_Ports port 1863
> acl Unsafe_Ports port 5222
> acl SSL_ports port 443
> acl Safe_ports port 80 53 443 3268 88 5060 5061 5062 5075 5076 5077
> 50636 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000
> # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny Unsafe_Ports
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow allow_localnet
> http_access allow allow_localdomain
> http_access allow ad-auth
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> cache_dir aufs /var/squid/cache 128 16 256
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?)    0       0%      0
> refresh_pattern .               0       20%     4320
> redirect_program /usr/local/bin/squidGuard -c
> /usr/local/squidGuard/squidGuard.conf
> redirect_children 15
> icp_access deny all
> htcp_access deny all
> cache_mem 128 MB
> access_log /var/log/squid/access.log squid
> icp_port 3130
> pipeline_prefetch off
> cache_mgr mail_at_domain.com
> cachemgr_passwd password all
> #delay_pools 2
> #delay_class 1 4
> #delay_class 2 4
> #delay_access 1 allow local_net_src
> #delay_access 2 allow local_net_dst
> #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200
> #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1
> #delay_initial_bucket_level 75
> httpd_suppress_version_string on
> forwarded_for off
> hosts_file /etc/hosts
> cache_replacement_policy heap LFUDA
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size_in_memory 50 KB
> memory_pools off
> maximum_object_size 50 MB
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> log_icp_queries off
> client_db off
> buffered_logs on
> half_closed_clients off
>
> On 26 June 2011 16:19, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 26/06/11 21:24, Go Wow wrote:
>>>
>>> Hi,
>>>
>>>  I'm using squid 3.1.8 on centos 5.4 with 3.8GB RAM and Dual Core
>>> Processor. My swap is been used and 50% of RAM is used by cache&
>>> buffers. Below link has one week's memory&  CPU utilization
>>> information in form of graph.
>>>
>>> Memory usage -->  http://img.myph.us/Cr8.jpg
>>> CPU usage -->  http://img.myph.us/PgM.jpg
>>>
>>> I'm worried as to why the usage of swap is coming into picture,
>>> logically if Swap is used then I need to increase the RAM but this
>>> machine is serving only 12 users.
>>>
>>>  My squid.conf is here
>>>
>>> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s
>>> GSS_C_NO_NAME
>>> auth_param negotiate children 10
>>> auth_param negotiate keep_alive on
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 8
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic credentialsttl 4 hour
>>> auth_param basic casesensitive off
>>> auth_param basic children 7
>>> auth_param basic realm DOMAINNAME
>>> authenticate_cache_garbage_interval 10 seconds
>>> authenticate_ttl 0 seconds
>>> acl ad-auth proxy_auth REQUIRED
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>>> acl allow_localnet dst 192.168.110.0/24 192.168.188.0/24
>>> acl allow_localdomain dstdomain .domain.com
>>> acl local_net_dst dst  192.168.117.0/24
>>> acl local_net_src src  192.168.117.0/24
>>> acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085
>>> acl Unsafe_Ports port 1863
>>> acl Unsafe_Ports port 5222
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 53 3268 88 5060 5061 5062 5075 5076 5077 50636
>>> 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000  #
>>> http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl CONNECT method CONNECT
>>> http_access allow localhost allow_localnet allow_localdomain
>>> http_access allow manager localhost
>>> http_access allow ad-auth
>>
>>> http_access deny manager
>>> http_access deny Unsafe_Ports !Safe_ports
>>
>> That wont work. Please see:
>>  http://wiki.squid-cache.org/SquidFaq/SquidAcls#Common_Mistakes
>>
>>> http_access deny CONNECT !SSL_ports
>>
>> None of these security checks will have any effect. You have placed all
>> of the allows above them to happen first.
>>
>>> http_access deny all
>>> redirect_program /usr/local/bin/squidGuard -c
>>> /usr/local/squidGuard/squidGuard.conf
>>> redirect_children 15
>>> icp_access deny all
>>> htcp_access deny all
>>> http_port 3128
>>> cache_mem 128 MB
>>> cache_dir aufs /var/squid/cache 128 16 256
>>> hierarchy_stoplist cgi-bin ?
>>> access_log /var/log/squid/access.log squid
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern (cgi-bin|\?)    0       0%      0
>>
>> Broken pattern. Use this instead:
>>  -i (/cgi-bin/|\?)
>>
>>> refresh_pattern .               0       20%     4320
>>> icp_port 3130
>>> pipeline_prefetch off
>>> #delay_pools 2
>>> #delay_class 1 4
>>> #delay_class 2 4
>>> #delay_access 1 allow local_net_src
>>> #delay_access 2 allow local_net_dst
>>> #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200
>>> #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1
>>> #delay_initial_bucket_level 75
>>> httpd_suppress_version_string on
>>> forwarded_for off
>>> hosts_file /etc/hosts
>>> cache_replacement_policy heap LFUDA
>>> cache_swap_low 90
>>> cache_swap_high 95
>>> maximum_object_size_in_memory 50 KB
>>> memory_pools off
>>> maximum_object_size 50 MB
>>> quick_abort_min 0 KB
>>> quick_abort_max 0 KB
>>> log_icp_queries off
>>> client_db off
>>> buffered_logs on
>>> half_closed_clients off
>>>
>>>
>>> I had delay pools but I later disabled them as well.
>>
>> Are you sure it is Squid consuming that memory? Its possibly another
>> application.
>>  If you are sure it is Squid please upgrade to a later version. There were
>> some memory overuse issues fixed between 3.1.8 and 3.1.11.
>>
>> Amos
>> --
>> Please be using
>>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>>  Beta testers wanted for 3.2.0.9 and 3.1.12.3
>>
>
Received on Tue Jun 28 2011 - 05:11:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT