> -----Original Message-----
> From: Alex [mailto:linuxro@online.ie]
> Sent: Sunday, September 25, 2005 2:54 AM
>
> On Saturday 24 September 2005 21:15, Matus UHLAR - fantomas wrote:
> > > > Okay... These look pretty good. Hits are fast, misses are okay, DNS
> > > > requests are about what I would expect... I'm a bit perplexed. What
> > > > are the symptoms of slow connections? Is it throughput on large
> > > > downloads, pages with lots of connections (msn.com with it's thousands
> > > > of images), does it just take forever for a connection to get started,
> > > > or is it something else entirely?
> >
> > On 24.09 15:21, Alex wrote:
> > > NO, the situation is very simple: not matter content of page. Even if
> > > www.google.com is accesed, it take more then 20-30s to load/display it
> > > correctly. Without squid, www.google.com is loaded instantly!
> >
> > ehm, this might be caused by:
> >
> > 1. clients connect from IP's not in DNS, and your squid checks for their
> > reverse (and probably direct) DNS informations
>
> I don't think so... Indeed, for our clients, i haven't
> configured 10.0.0.rev
> zone in our DNS (i am using split view dns configuration and
> all our clients
> queries are comming from: 10.0.x.0/24 subnets, where x = 1 up to 10),
> but .... If you are right, why in the morning or in the
> afternoon, squid is
> working ok?
Something is being overloaded at mid day. From the statistics you have provided, it's not Squid. You stated that a connection to Google takes 20-30 seconds to complete, but don't give details on what happens during the wait. Do parts of the page load (i.e. the text but not the logo), or is it a long wait and then the page suddenly appears?
>
> > 2. you are requiring ident for them, they are firewalled and don't support
> > ident requests
>
> no, we are in a vpn and for our internal IP address we are
> passing almost all
> traffic... What's the name of squid directive which
> enable/disable ident
> requests?
As far as I recall, ident lookups have to be compiled into Squid. Looking at the squid.conf.default I find "By default, ident lookups are not performed for any requests", and looking at your squid.conf I don't see you requesting ident info. I also don't see anything that should cause reverse DNS lookups.
>
> >
> > for 99% it's the first case. turn off dns checking in squid, or better, fix
> > your internal DNS.
>
> HOW CAN I TURN OFF DNS CHECKING IN SQUID ... log_fqdn
> directive is turned off
> by default....
Don't use acls such as srcdomain or srcdom_regex. You aren't so I don't think this is the issue here.
At a busy point (when requests are blocking) check the "Internal DNS Statistics" page. That should show you which DNS servers are being queried. Output of "netstat -tapn" might be helpful as well. Lastly, running "squid -k debug" while under high load waiting a few seconds and then running "squid -k debug" again (to turn debugging off) and then checking cache_log for details can reveal other problems. It's sounding very much like a DNS server being overloaded or a problem with creating outgoing requests (firewall, OS limitation, etc).
>
> Here comes my squid.conf
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_mem 256 MB
> maximum_object_size 32768 KB
> maximum_object_size_in_memory 64 KB
> cache_replacement_policy heap GDSF
> memory_replacement_policy heap GDSF
> cache_dir aufs /var/spool/squid 20480 16 256
> cache_store_log none
> ftp_user squid@mydoom.ro
> auth_param basic children 100
> auth_param basic realm Squid proxy-caching server
> auth_param basic program /usr/lib/squid/pam_auth
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> half_closed_clients off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl lanpass proxy_auth REQUIRED
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow lanpass
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr admin@mydoom.ro
> visible_hostname proxy.mydoom.ro
> announce_period 0
> log_icp_queries off
> cachemgr_passwd *** all
> buffered_logs on
> coredump_dir /var/spool/squid
> client_persistent_connections off
>
> Alex
>
Chris
Received on Tue Sep 27 2005 - 13:33:35 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT