Re: [squid-users] squid 3.1. from Amos Jeffries on 2011-06-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 11 Jun 2011 18:05:41 +1200

On 11/06/11 05:39, Shenavandeh wrote:
> Hi,
>
> I have a squid installation that crashes twice a day under the load of
> 7 Mbps bandwidth with the following message in squid.out with no
> specific traces in cache.log
>
> Startup: Fri Jun 10 15:46:20
> dying from an unhandled exception: !theConsumer
> terminate called after throwing an instance of 'TextException'
> what(): !theConsumer
> Startup: Fri Jun 10 19:55:29
>
> It is compiled using following options:
> sbin]# ./squid -v
> Squid Cache: Version 3.1.12.1
> configure options: '--enable-linux-netfilter'
> '--enable-storeio=ufs,aufs' '--enable-poll'
> '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
> '--enable-ssl' '--enable-snmp' '--enable-removal-policies'
> '--enable-gnuregex' '--with-large-files' '--enable-async-io'
> 'CFLAGS=-DNUMTHREADS=300' --with-squid=/root/squid-3.1.12.1
> --enable-ltdl-convenience
>
> the platform is as follows:
>
> CPU :4 cores of Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
> RAM : 8GB
> OS: CentOS 5.6 :
> Kernel: Linux version 2.6.25 compiled with tproxy option.
>
> the Squid configuration:
>
> cache_mem 4000 MB
>
> dead_peer_timeout 30 seconds
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

hierarchy_stoplist and the QUERY bits are outdated. It is worth removing
these.

>
> maximum_object_size 50 MB
> maximum_object_size_in_memory 500 KB
> minimum_object_size 0 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LRU
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow to_localhost

This is dangerous.
to_localhost is designed to match a class of attack signatures and
prevent DoS. It is intended for use in a "deny" line.

>
>
> http_access allow localhost
> http_access allow localnet
> http_access allow to_localhost

A second "allow to_localhost" is useless. The first will stop processing
when it gets tested and matches.

>
> http_access deny all
>
> http_port 3128 tproxy
>
> hierarchy_stoplist cgi-bin ?

repeat directive, worth removing.

>
> cache_dir aufs /cache 24000 16 256
>
> coredump_dir cache
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_effective_user squid
> cache_effective_group squid
>
> half_closed_clients off
> buffered_logs on
> client_db off
> quick_abort_max 0 KB
> quick_abort_min 0 KB
> memory_pools off
>
> cache_swap_high 95%
> cache_swap_low 90
> logfile_rotate 10%

logfile_rotate is not a percentage. It is a count of many log files to
keep. A new one is generated ever time you run "squid -k rotate"

>
> visible_hostname Cache

Interesting FQDN.

The admin_at_Cache contact address for example, does not resolve here.

>
> quick_abort_min 32 KB
> quick_abort_max 32 KB
> quick_abort_pct 95
>
> negative_ttl 3 minutes
> positive_dns_ttl 6 hours
>
> pipeline_prefetch on
>
> acl snmpkey snmp_community public
> snmp_port 3401
> snmp_access allow snmpkey localhost
> snmp_access deny all
>
> refresh_pattern -i
> \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$
> 260000 90% 260009 override-expire
> refresh_pattern -i
> \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 260000
> 90% 260009 override-expire

These refresh_pattern lines are useless. The query and dot patterns
above catch all URL in existence. Squid never gets past them to match these.

>
>
> I would be most grateful if somebody helps me out.
> Yours Faithfully,
> ---
> Amir H Sh

A few seconds search in bugzilla shows this:
http://bugs.squid-cache.org/show_bug.cgi?id=3117

Perhapse you can help provide a trace (debug_options ALL,6) and help
track down where it is coming from.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2

Received on Sat Jun 11 2011 - 06:06:07 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 12 2011 - 12:00:02 MDT