Thanks Amos for the the reply.
Will do the changes that you suggested and will try again.
Will probably replace the box it self with a newer one or upgrade its RAM.
Will keep you posted.
Regards,
Art
On 09/25/2012 08:50 AM, Amos Jeffries wrote:
> On 25.09.2012 00:25, Art Bermas wrote:
>> Hello Everyone,
>>
>> I've been experiencing a slow proxy on my second Squid box even
>> though its general configuration is the same as my first Squid box,
>> except of course for the IP. See below for details:
>>
>> Squid Box 1 - Connected to a 3Mbps DSL. Used by majority of users for
>> internet browsing. Running on CentOS 5.8 with iptables configured.
>> IPtables preroute http requests to 3128. Hardware Intel C2Duo 1.86Ghz
>> 8GB RAM
>>
>> #SQUID BOX 1 CONFIGURATION
>> http_port 3128 transparent
>> cache_mem 50 MB
>> cache_dir ufs /var/spool/squid 500 16 256
>> maximum_object_size 1 MB
>> access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>> cache_store_log /var/log/squid/store.log
>> ftp_passive on
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> request_body_max_size 4 MB
>> dns_nameservers x.x.x.x x.x.x.x
>>
>>
>> #Recommended minimum configuration:
>> acl ftp proto FTP
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 83 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> always_direct allow FTP
>>
>> #Recommended minimum configuration:
>>
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow manager localhost
>> http_access deny manager
>>
>> # Deny requests to unknown ports
>> http_access deny !Safe_ports
>>
>>
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>> #
>>
>> acl walang_bawal src "/etc/squid/no_restrictions"
>> acl no_restrictions_but_no_porn src
>> "/etc/squid/no_restrictions_but_no_porn"
>> acl mga_direktor src "/etc/squid/directors"
>> acl dept_heads_pms src "/etc/squid/dept_heads_pms"
>>
>> acl neo src 172.16.64.50 # neo
>> #
>> #3D CGI
>> acl cgi002 src 172.16.64.177 # Mark
>> acl cgi003 src 172.16.64.93 # Czy
>> acl cgi004 src 172.16.64.92 # Amabel
>> acl cgi006 src 172.16.64.91 # Archie
>> acl cgi009 src 172.16.64.94 # Idol
>> acl tca001 src 172.16.64.96 # Allan
>> acl tca002 src 172.16.64.184 # Anthony
>> acl cgi019 src 172.16.64.214 # Animator
>> acl cgi007 src 172.16.64.179 # CGI
>>
>> acl redondo3d src 172.16.64.207 #Mac Avid1 Chrysler
>> acl mac-g5 src 172.16.64.206 #Avid 2
>> acl sicily src 172.16.64.199 #retakes dept Jeff Gongon
>> acl missouri src 172.16.65.248 #Mitch
>> acl iriga src 172.16.65.188 #Mitch
>> acl calbayog src 172.16.65.171 #Reception
>>
>> # ANG AMING PATAKARAN
>> acl business_hours time M T W H F A S 9:00-19:00
>> acl business_hours_MF time M T W H F 10:00-19:00
>> acl am_hours time M T W H F 00:00-05:00
>> acl pm_hours time M T W H F 15:00-17:00
>> acl facebook_time time M T W H F A S 12:00-14:00
>> acl utube_time time M T W H F A S 12:00-14:00
>> acl bad url_regex -i "/etc/squid/restrict-url.acl"
>> acl facebk dstdomain .facebook.com
>> acl utube dstdomain .youtube.com
>> acl bawal dstdom_regex "/etc/squid/bawal.list"
>> #acl goodsites dstdomain "/etc/squid/goodsites.acl"
>>
>> #### THE ACCESS #####
>> #
>> #
>> # WALA ITONG KAHIT NA ANONG RESTRICTIONS
>> http_access allow walang_bawal
>> http_access allow neo business_hours
>>
>> # HETO ANG BAWAL LANG EH HUBAD
>> http_access deny bad
>>
>> http_access allow no_restrictions_but_no_porn
>>
>> http_access allow calbayog pm_hours
>> # DITO CONTROLLED ANG FACEBOOK PERO MAY YOUTUBE LAGI
>> http_access allow facebk facebook_time
>> http_access deny facebk
>> http_access deny CONNECT SSL_ports facebk
>>
>> # DITO ANG MGA DIRECTOR
>> http_access deny bawal
>> http_access deny CONNECT SSL_ports bawal
>> http_access allow mga_direktor
>> # 3D-CGI
>> http_access allow tca001
>> http_access allow tca002
>> http_access allow cgi002
>> http_access allow cgi003
>> http_access allow cgi004
>> http_access allow cgi006
>> http_access allow cgi009
>> http_access allow cgi019
>> http_access allow cgi007
>>
>> # DITO MAY ORAS ANG YOUTUBE
>> http_access allow utube utube_time
>> http_access deny utube
>> http_access deny CONNECT SSL_ports utube
>>
>> # DITO WALA TALAGANG YOUTUBE,FACEBOOK ETC. ETC.
>> http_access deny utube
>> http_access deny CONNECT SSL_ports utube
>> http_access allow dept_heads_pms
>>
>> http_access allow redondo3d facebook_time
>> http_access allow mac-g5 facebook_time
>> http_access allow sicily facebook_time
>> http_access allow missouri business_hours
>> http_access allow iriga business_hours
>>
>>
>> # And finally deny all other access to this proxy
>> http_access allow localhost
>> http_access deny CONNECT SSL_ports
>> http_access deny all
>>
>> logfile_rotate 0
>> ssl_unclean_shutdown on
>> allow_underscore on
>> shutdown_lifetime 30 seconds
>> visible_hostname TOONCITY_Technology_Department
>> cache_mgr technology_at_tooncityanimation.com
>> coredump_dir /var/spool/squid
>> always_direct allow FTP
>> ftp_sanitycheck off
>>
>> Squid Box 2 - Connected to a 6Mbps lease line. Used by the powers
>> that be for internet browsing. Running on CentOS 5.8 with iptables
>> configured. IPtables preroute http requests to 3128. Hardware Intel P4
>> 3.00Ghz 2GB RAM
>>
>> #SQUID BOX 2 CONFIGURATION
>> http_port 3128 transparent
>> cache_mem 50 MB
>> cache_dir ufs /var/spool/squid 500 16 256
>> maximum_object_size 1 MB
>> access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>> cache_store_log /var/log/squid/store.log
>
> cache_store_log is not very useful. Unless you are using the log for
> analysis you can set this to "cache_store_log none" and save yourself
> a lot of disk I/O.
>
>
>> ftp_passive on
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> request_body_max_size 4 MB
>> dns_nameservers x.x.x.x x.x.x.x
>>
>>
>> #Recommended minimum configuration:
>> acl ftp proto FTP
>> acl all src 0.0.0.0/0.0.0.0
>
> acl all src all
>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 83 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> always_direct allow FTP
>>
>> #Recommended minimum configuration:
>>
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow manager localhost
>> http_access deny manager
>>
>> # Deny requests to unknown ports
>> http_access deny !Safe_ports
>>
>>
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>> #
>>
>> #ACL'S
>>
>> acl tabaco2 src 172.16.64.46
>> acl daraga src 172.16.64.61
>> acl finance src 172.16.64.62
>> acl hr04 src 172.16.64.68
>>
>> #ACCESS LIST
>>
>> http_access allow tabaco2
>> http_access allow daraga
>> http_access allow finance
>> http_access allow hr04
>
> The above ACLs are all "src" type. You can compact this config down to:
>
>
> acl foo src 172.16.64.46 # tabaco2
> acl foo src 172.16.64.61 # draga
> acl foo src 172.16.64.62 # finance
> acl foo src 172.16.64.68 # hr04
>
> http_access allow foo
>
>>
>> # And finally deny all other access to this proxy
>> http_access allow localhost
>> http_access deny CONNECT SSL_ports
>> http_access deny all
>>
>> logfile_rotate 0
>> ssl_unclean_shutdown on
>> allow_underscore on
>> shutdown_lifetime 30 seconds
>> visible_hostname TOONCITY_Technology_Department
>> cache_mgr technology_at_tooncityanimation.com
>> coredump_dir /var/spool/squid
>> always_direct allow FTP
>> ftp_sanitycheck off
>
> always_direct is only useful with cache_peer or accelerator
> configurations.
> You can remove the "always_direct allow FTP" lines.
>
>>
>> As you can see from the listed configs that both Squid boxes have
>> "almost" the same general configuration.
>>
>> Squid Box 1 is performing fine with no hassle at all.
>>
>> Squid Box 2 will perform normally for a few hours and starts to slow
>> down. I get "zero sized reply" from time to time.
>
>
> Sounds familiar. Please upgrade, 2.6 has been obsolete for almost 5
> years now, the current release of Squid is 3.2.1.
>
>>
>> The users/hosts listed on Squid Box 2 used to connect thru Squid Box
>> 1 with no problem at all. I transferred them to Squid Box 2 over the
>> weekend and I noticed the problem today.
>>
>> After going thru the logs and testing several configuration on Squid
>> Box 2, there is still no improvement.
>>
>> Could it be the hardware? No disk errors on both boxes.
>
> Possibly, or DNS lag, or PMTU issues, or Buffer Bloat (I recommend
> looking it up if you are not already aware), or HTTP/1.1 features not
> supported by 2.6.
>
> Amos
>
>
Received on Tue Sep 25 2012 - 03:03:53 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 25 2012 - 12:00:06 MDT