[squid-users] Re: Still having some slowness

From: Scott Mayo <scotgmayo_at_gmail.com>
Date: Fri, 14 Feb 2014 09:09:14 -0600

BTW, on the below post, I just wanted to let everyone know that it is
not a bandwidth issue that I can tell. We are using about 5-10Mbps of
our 20Mbps line.
Scott

On Fri, Feb 14, 2014 at 9:03 AM, Scott Mayo <scotgmayo_at_gmail.com> wrote:
> Finally got my new server with a newer version of squid on it up and
> going. I am still having a few slowness issues. Trying to decide
> exactly what it is. I'll know a bit more as the day goes along.
> Right now I have disabled the icap service to take it out of the way.
> Here are a few statistics and my squid.conf if someone has a
> suggestion.
>
> Squid server is:
> i3-2100 @ 3.10GHz with 4 cores
> 8GB Ram
> 160GB HDD
> Centos 6.5
> Squid 3.1
> Private NIC is a 1Gb NIC
> Public NIC is a 100Mb NIC
> Internet connection is 20Mbps
>
> I probably have a total of 150 users on at once maybe.
>
> Sometimes I get a "Unable to connect to Proxy" when students all get
> to class and start logging on. If they hit refresh a time or two,
> then they will be prompted for authentication. Sometimes it is quite
> slow to pull up a website (5-30 seconds).
>
> I have watched 'top' and basically all CPUs are usuallly around 0.3 to
> 0.7 percent. I have seen them get up to 2.0 to 5.0 percent, but
> nothign extremely bad. I usually have around 5Gb-5.5Gb of memory free
> and I don't ever see any swap used. Load averages are around 0.0.2,
> 0.0.1, 0.0.0
>
> Below is my squid.conf if anyone has any suggestions of someting that
> may be slowing things down. At this point I am a bit lost since I
> have the icap turned off. Those files that have domains in them are
> not too big. Probably nothing more than 50 domains in any one file
> and maybe a total of a couple hundred.
>
> Thanks.
>
> icap_enable off
> icap_preview_enable on
> icap_preview_size 4096
> icap_persistent_connections on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Client-Username
> icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
> icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
>
> #use for LDAP authentication
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
> "dc=school,dc=org" -f "uid=%s" -h 192.168.0.250
> external_acl_type teachers %LOGIN /usr/lib64/squid/squid_ldap_group -b
> "dc=school,dc=org" -f "(&(cn=%g)(MemberUid=%u))" -h 192.168.0.250
> auth_param basic children 40 startup=5 idle=10 concurrency=150
> auth_param basic credentialsttl 9 hours
> acl ldap_username proxy_auth REQUIRED
>
> visible_hostname filter
> cache_mem 256 MB
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl qlproxy_icap_edomains dstdomain
> "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
> acl qlproxy_icap_etypes rep_mime_type
> "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"
> acl bps_exceptions dstdomain "/filter/urls/ok/domains"
> acl teacher_group external teachers teacher
> acl teacher_exception_list dstdomain "/filter/urls/teacher/exceptionsitelist"
> acl no_cache_sites dstdomain "/filter/urls/no_cache_sites"
> acl safe_url_sites dstdomain "/filter/urls/safe_url_sites"
> acl walsworth_sites dstdomain "/filter/urls/walsworth_sites"
> acl bpsblocked dstdomain "/filter/urls/blocked/domains"
> acl banned_users proxy_auth baduser
> acl windows_update dstdomain .windowsupdate.com .microsoft.com
>
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> adaptation_access qlproxy2 deny bps_exceptions
> adaptation_access qlproxy1 deny bps_exceptions
> adaptation_access qlproxy1 deny safe_url_sites
> adaptation_access qlproxy2 deny safe_url_sites
> adaptation_access qlproxy1 deny walsworth_sites
> adaptation_access qlproxy2 deny walsworth_sites
> adaptation_access qlproxy1 deny teacher_exception_list teacher_group
> adaptation_access qlproxy2 deny teacher_exception_list teacher_group
> adaptation_access qlproxy1 deny qlproxy_icap_edomains
> adaptation_access qlproxy2 deny qlproxy_icap_edomains
> adaptation_access qlproxy2 deny qlproxy_icap_etypes
> adaptation_access qlproxy1 allow all
> adaptation_access qlproxy2 allow all
>
> http_access allow manager localhost
> http_access deny manager
>
> cache deny no_cache_sites
> cache deny walsworth_sites
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow bps_exceptions
> http_access allow windows_update
> http_access deny bpsblocked !teacher_group
> http_access deny banned_users
> http_access allow localnet
> http_access allow ldap_username
> http_access allow localhost
>
> http_access deny all
>
> http_port 8080
>
> hierarchy_stoplist cgi-bin ?
>
> cache_dir ufs /var/spool/squid 10000 16 256
>
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
>
> --
> Scott Mayo
Received on Fri Feb 14 2014 - 15:22:10 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 14 2014 - 12:00:04 MST