Re: [squid-users] Still having some slowness

From: Ron Wheeler <rwheeler_at_artifact-software.com>
Date: Fri, 14 Feb 2014 10:11:24 -0500

Your squid is just loafing along with no problems.
What about your LDAP server?
Does the problem go away once everyone is logged on?
Squid does not have very much to do at logon time. Messages are small
unless you are loading graphics on your login page but squid is not
showing any sign of being busy.

Ron

On 14/02/2014 10:03 AM, Scott Mayo wrote:
> Finally got my new server with a newer version of squid on it up and
> going. I am still having a few slowness issues. Trying to decide
> exactly what it is. I'll know a bit more as the day goes along.
> Right now I have disabled the icap service to take it out of the way.
> Here are a few statistics and my squid.conf if someone has a
> suggestion.
>
> Squid server is:
> i3-2100 @ 3.10GHz with 4 cores
> 8GB Ram
> 160GB HDD
> Centos 6.5
> Squid 3.1
> Private NIC is a 1Gb NIC
> Public NIC is a 100Mb NIC
> Internet connection is 20Mbps
>
> I probably have a total of 150 users on at once maybe.
>
> Sometimes I get a "Unable to connect to Proxy" when students all get
> to class and start logging on. If they hit refresh a time or two,
> then they will be prompted for authentication. Sometimes it is quite
> slow to pull up a website (5-30 seconds).
>
> I have watched 'top' and basically all CPUs are usuallly around 0.3 to
> 0.7 percent. I have seen them get up to 2.0 to 5.0 percent, but
> nothign extremely bad. I usually have around 5Gb-5.5Gb of memory free
> and I don't ever see any swap used. Load averages are around 0.0.2,
> 0.0.1, 0.0.0
>
> Below is my squid.conf if anyone has any suggestions of someting that
> may be slowing things down. At this point I am a bit lost since I
> have the icap turned off. Those files that have domains in them are
> not too big. Probably nothing more than 50 domains in any one file
> and maybe a total of a couple hundred.
>
> Thanks.
>
> icap_enable off
> icap_preview_enable on
> icap_preview_size 4096
> icap_persistent_connections on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Client-Username
> icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
> icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
>
> #use for LDAP authentication
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
> "dc=school,dc=org" -f "uid=%s" -h 192.168.0.250
> external_acl_type teachers %LOGIN /usr/lib64/squid/squid_ldap_group -b
> "dc=school,dc=org" -f "(&(cn=%g)(MemberUid=%u))" -h 192.168.0.250
> auth_param basic children 40 startup=5 idle=10 concurrency=150
> auth_param basic credentialsttl 9 hours
> acl ldap_username proxy_auth REQUIRED
>
> visible_hostname filter
> cache_mem 256 MB
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl qlproxy_icap_edomains dstdomain
> "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
> acl qlproxy_icap_etypes rep_mime_type
> "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"
> acl bps_exceptions dstdomain "/filter/urls/ok/domains"
> acl teacher_group external teachers teacher
> acl teacher_exception_list dstdomain "/filter/urls/teacher/exceptionsitelist"
> acl no_cache_sites dstdomain "/filter/urls/no_cache_sites"
> acl safe_url_sites dstdomain "/filter/urls/safe_url_sites"
> acl walsworth_sites dstdomain "/filter/urls/walsworth_sites"
> acl bpsblocked dstdomain "/filter/urls/blocked/domains"
> acl banned_users proxy_auth baduser
> acl windows_update dstdomain .windowsupdate.com .microsoft.com
>
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> adaptation_access qlproxy2 deny bps_exceptions
> adaptation_access qlproxy1 deny bps_exceptions
> adaptation_access qlproxy1 deny safe_url_sites
> adaptation_access qlproxy2 deny safe_url_sites
> adaptation_access qlproxy1 deny walsworth_sites
> adaptation_access qlproxy2 deny walsworth_sites
> adaptation_access qlproxy1 deny teacher_exception_list teacher_group
> adaptation_access qlproxy2 deny teacher_exception_list teacher_group
> adaptation_access qlproxy1 deny qlproxy_icap_edomains
> adaptation_access qlproxy2 deny qlproxy_icap_edomains
> adaptation_access qlproxy2 deny qlproxy_icap_etypes
> adaptation_access qlproxy1 allow all
> adaptation_access qlproxy2 allow all
>
> http_access allow manager localhost
> http_access deny manager
>
> cache deny no_cache_sites
> cache deny walsworth_sites
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow bps_exceptions
> http_access allow windows_update
> http_access deny bpsblocked !teacher_group
> http_access deny banned_users
> http_access allow localnet
> http_access allow ldap_username
> http_access allow localhost
>
> http_access deny all
>
> http_port 8080
>
> hierarchy_stoplist cgi-bin ?
>
> cache_dir ufs /var/spool/squid 10000 16 256
>
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
>

-- 
Ron Wheeler
President
Artifact Software Inc
email: rwheeler_at_artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
Received on Fri Feb 14 2014 - 15:11:37 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 14 2014 - 12:00:04 MST