[squid-users] Slow Squid 2.6 Server

From: Art Bermas <art.bermas_at_tooncityanimation.com>
Date: Mon, 24 Sep 2012 20:25:05 +0800

Hello Everyone,

I've been experiencing a slow proxy on my second Squid box even though
its general configuration is the same as my first Squid box, except of
course for the IP. See below for details:

Squid Box 1 - Connected to a 3Mbps DSL. Used by majority of users for
internet browsing. Running on CentOS 5.8 with iptables configured.
IPtables preroute http requests to 3128. Hardware Intel C2Duo 1.86Ghz
8GB RAM

#SQUID BOX 1 CONFIGURATION
http_port 3128 transparent
cache_mem 50 MB
cache_dir ufs /var/spool/squid 500 16 256
maximum_object_size 1 MB
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
ftp_passive on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
request_body_max_size 4 MB
dns_nameservers x.x.x.x x.x.x.x

#Recommended minimum configuration:
acl ftp proto FTP
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
always_direct allow FTP

#Recommended minimum configuration:

#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#

acl walang_bawal src "/etc/squid/no_restrictions"
acl no_restrictions_but_no_porn src "/etc/squid/no_restrictions_but_no_porn"
acl mga_direktor src "/etc/squid/directors"
acl dept_heads_pms src "/etc/squid/dept_heads_pms"

acl neo src 172.16.64.50 # neo
#
#3D CGI
acl cgi002 src 172.16.64.177 # Mark
acl cgi003 src 172.16.64.93 # Czy
acl cgi004 src 172.16.64.92 # Amabel
acl cgi006 src 172.16.64.91 # Archie
acl cgi009 src 172.16.64.94 # Idol
acl tca001 src 172.16.64.96 # Allan
acl tca002 src 172.16.64.184 # Anthony
acl cgi019 src 172.16.64.214 # Animator
acl cgi007 src 172.16.64.179 # CGI

acl redondo3d src 172.16.64.207 #Mac Avid1 Chrysler
acl mac-g5 src 172.16.64.206 #Avid 2
acl sicily src 172.16.64.199 #retakes dept Jeff Gongon
acl missouri src 172.16.65.248 #Mitch
acl iriga src 172.16.65.188 #Mitch
acl calbayog src 172.16.65.171 #Reception

# ANG AMING PATAKARAN
acl business_hours time M T W H F A S 9:00-19:00
acl business_hours_MF time M T W H F 10:00-19:00
acl am_hours time M T W H F 00:00-05:00
acl pm_hours time M T W H F 15:00-17:00
acl facebook_time time M T W H F A S 12:00-14:00
acl utube_time time M T W H F A S 12:00-14:00
acl bad url_regex -i "/etc/squid/restrict-url.acl"
acl facebk dstdomain .facebook.com
acl utube dstdomain .youtube.com
acl bawal dstdom_regex "/etc/squid/bawal.list"
#acl goodsites dstdomain "/etc/squid/goodsites.acl"

#### THE ACCESS #####
#
#
# WALA ITONG KAHIT NA ANONG RESTRICTIONS
http_access allow walang_bawal
http_access allow neo business_hours

# HETO ANG BAWAL LANG EH HUBAD
http_access deny bad

http_access allow no_restrictions_but_no_porn

http_access allow calbayog pm_hours
# DITO CONTROLLED ANG FACEBOOK PERO MAY YOUTUBE LAGI
http_access allow facebk facebook_time
http_access deny facebk
http_access deny CONNECT SSL_ports facebk

# DITO ANG MGA DIRECTOR
http_access deny bawal
http_access deny CONNECT SSL_ports bawal
http_access allow mga_direktor
# 3D-CGI
http_access allow tca001
http_access allow tca002
http_access allow cgi002
http_access allow cgi003
http_access allow cgi004
http_access allow cgi006
http_access allow cgi009
http_access allow cgi019
http_access allow cgi007

# DITO MAY ORAS ANG YOUTUBE
http_access allow utube utube_time
http_access deny utube
http_access deny CONNECT SSL_ports utube

# DITO WALA TALAGANG YOUTUBE,FACEBOOK ETC. ETC.
http_access deny utube
http_access deny CONNECT SSL_ports utube
http_access allow dept_heads_pms

http_access allow redondo3d facebook_time
http_access allow mac-g5 facebook_time
http_access allow sicily facebook_time
http_access allow missouri business_hours
http_access allow iriga business_hours

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny CONNECT SSL_ports
http_access deny all

logfile_rotate 0
ssl_unclean_shutdown on
allow_underscore on
shutdown_lifetime 30 seconds
visible_hostname TOONCITY_Technology_Department
cache_mgr technology_at_tooncityanimation.com
coredump_dir /var/spool/squid
always_direct allow FTP
ftp_sanitycheck off

Squid Box 2 - Connected to a 6Mbps lease line. Used by the powers that
be for internet browsing. Running on CentOS 5.8 with iptables
configured. IPtables preroute http requests to 3128. Hardware Intel P4
3.00Ghz 2GB RAM

#SQUID BOX 2 CONFIGURATION
http_port 3128 transparent
cache_mem 50 MB
cache_dir ufs /var/spool/squid 500 16 256
maximum_object_size 1 MB
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
ftp_passive on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
request_body_max_size 4 MB
dns_nameservers x.x.x.x x.x.x.x

#Recommended minimum configuration:
acl ftp proto FTP
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
always_direct allow FTP

#Recommended minimum configuration:

#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#

#ACL'S

acl tabaco2 src 172.16.64.46
acl daraga src 172.16.64.61
acl finance src 172.16.64.62
acl hr04 src 172.16.64.68

#ACCESS LIST

http_access allow tabaco2
http_access allow daraga
http_access allow finance
http_access allow hr04

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny CONNECT SSL_ports
http_access deny all

logfile_rotate 0
ssl_unclean_shutdown on
allow_underscore on
shutdown_lifetime 30 seconds
visible_hostname TOONCITY_Technology_Department
cache_mgr technology_at_tooncityanimation.com
coredump_dir /var/spool/squid
always_direct allow FTP
ftp_sanitycheck off

As you can see from the listed configs that both Squid boxes have
"almost" the same general configuration.

Squid Box 1 is performing fine with no hassle at all.

Squid Box 2 will perform normally for a few hours and starts to slow
down. I get "zero sized reply" from time to time.

The users/hosts listed on Squid Box 2 used to connect thru Squid Box 1
with no problem at all. I transferred them to Squid Box 2 over the
weekend and I noticed the problem today.

After going thru the logs and testing several configuration on Squid Box
2, there is still no improvement.

Could it be the hardware? No disk errors on both boxes.

Looking forward to your reply.

Regards,

Art
Received on Mon Sep 24 2012 - 12:26:11 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 25 2012 - 12:00:06 MDT