[squid-users] Squid 3.4 very high cpu usage

From: Igor Novgorodov <igor_at_novg.net>
Date: Tue, 15 Jul 2014 17:56:40 +0400

I've seen a February thread about this problem, but it seems that it
never reached a consensus.

I've just tried to migrate from 3.3.12 to 3.4.6, but almost instantly
got timeout problems and 100% cpu usage by squid process.
I'm using kerberos auth and external_ldap_group helpers, ssl bump,
config will be attached below.

Any caching (memory or on-disk) is disabled during compile-time:
         ./configure \
         --prefix=/opt/squid \
         --sysconfdir=/etc/squid \
         --disable-loadable-modules \
         --disable-wccp \
         --disable-wccpv2 \
         --disable-eui \
         --disable-htcp \
         --disable-select \
         --disable-poll \
         --with-pthreads \
         --disable-storeio \
         --disable-disk-io \
         --disable-removal-policies \
         --enable-delay-pools \
         --disable-useragent-log \
         --disable-referer-log \
         --enable-ssl \
         --enable-ssl-crtd \
         --disable-cache-digests \
         --enable-icap-client \
         --disable-snmp \
         --disable-ident-lookups \
         --enable-auth \
         --enable-auth-basic="LDAP,PAM" \
         --enable-auth-ntlm="smb_lm" \
         --enable-auth-negotiate="kerberos" \
         --enable-auth-digest="LDAP,file" \
         --enable-external-acl-helpers="LDAP_group" \
         --enable-zph-qos \
         --with-openssl \
         --disable-ipv6

Any ideas? Thanks in advance

debug_options ALL,1 rotate=1
logfile_rotate 0

cache_mgr admin_at_domain.ru
visible_hostname squid.domain.ru

http_port 10.1.16.19:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=64MB
cert=/etc/squid/ssl/ca-squid.domain.ru.pem options=NO_SSLv2,NO_SSLv3
dhparams=/etc/squid/ssl/dh2048.pem
cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

cache_effective_user squid
cache_effective_group squid

# ICAP ACL
acl icap_whitelisted dstdomain
"/etc/squid/lists/icap_domains_whitelisted.txt"

# ICAP scanning
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_connect_timeout 1 second
icap_preview_enable on
icap_preview_size 1024
icap_206_enable on
icap_persistent_connections on

icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req deny icap_whitelisted
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp deny icap_whitelisted
adaptation_access service_resp allow all

forwarded_for delete
httpd_suppress_version_string on

### Error messages ###
error_directory /etc/squid/errors/ru

### Cache options ###
cache_mem 1024 MB
cache deny all

auth_param basic program /opt/squid/libexec/basic_pam_auth -n squid -t
300 -o
auth_param basic children 30 startup=5 idle=5
auth_param basic credentialsttl 10800 seconds
auth_param basic realm squid.domain.ru

#auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth
-r -s HTTP/squid.domain.ru_at_DOMAIN.RU
auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth
-r -s GSS_C_NO_NAME
auth_param negotiate children 100 startup=10 idle=10
auth_param negotiate keep_alive on

authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour

external_acl_type squid_ldap ttl=30 negative_ttl=30 children-max=100
children-startup=10 children-idle=5 %LOGIN
/opt/squid/libexec/ext_ldap_group_acl -b "OU=Users,DC=domain,DC=ru" -s
sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W
/etc/squid/ldap.password -R -H ldap://192.168.192.18 -v 3 -S -K -f
"(&(sAMAccountName=%u)(memberOf=%g))"
acl proxy_full_access external squid_ldap
CN=proxy_full_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_email_access external squid_ldap
CN=proxy_email_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_hr_access external squid_ldap
CN=proxy_hr_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access external squid_ldap
CN=proxy_no_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access_expired external squid_ldap
CN=Expired_Passwords,OU=Groups,DC=domain,DC=ru

### Delay Pools ###
delay_pools 1
delay_class 1 4
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1 -1/-1 8000/16000

### File lists ###
include "/etc/squid/lists.conf"

### File ACLs ###
## Lists ##
acl lists_block_dom dstdomain "/etc/squid/lists/domains_blocked.txt"
acl lists_fun_dom dstdomain "/etc/squid/lists/domains_fun.txt"
acl lists_job_dom dstdomain "/etc/squid/lists/domains_job.txt"

## Custom Lists ##
acl domains_whitelisted dstdomain "/etc/squid/lists/domains_whitelisted.txt"
acl domains_ssl_direct dstdomain "/etc/squid/lists/domains_ssl_direct.txt"
acl domains_mail dstdomain "/etc/squid/lists/domains_mail.txt"
acl domains_no_auth dstdomain "/etc/squid/lists/domains_no_auth.txt"
acl ip_ssl_direct dst "/etc/squid/lists/ip_ssl_direct.txt"

# SSL exceptions
acl domains_ssl_error dstdomain "/etc/squid/lists/domains_ssl_error.txt"

# SSL Proxying
ssl_bump none domains_ssl_direct
ssl_bump none ip_ssl_direct
ssl_bump client-first domains_ssl_error
ssl_bump server-first all
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cipher
ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
# sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow domains_ssl_error
sslproxy_cert_error deny all
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /etc/squid/ssl/ssl_db -M
128MB
sslcrtd_children 50 startup=10 idle=10
always_direct allow all

### Port based ACLs ###
acl ports_allowed port 20
acl ports_allowed port 21
acl ports_allowed port 80
acl ports_allowed port 443
acl ports_allowed port 9000

acl ports_connect port 443
acl ports_connect port 9000

### Time period ACLs ###
acl time_fun time MTWHF 13:00-14:00 18:30-23:00
acl time_blocked time MTWHF 23:00-23:59 00:00-8:00
acl time_weekends time SA 00:00-23:59

### Other ACLs ###
acl net_domain src 10.0.0.0/8
acl net_domain src 192.168.20.0/24

acl method_connect method CONNECT
acl proxy_authorized proxy_auth REQUIRED

### Access lists ###
http_access deny !net_domain
http_access allow domains_no_auth ports_allowed
http_access deny !proxy_authorized
http_access deny proxy_no_access
http_access deny proxy_no_access_expired
#http_access deny !proxy_full_access time_blocked
http_access deny !proxy_full_access !time_fun lists_fun_dom
http_access deny !proxy_full_access lists_block_dom !domains_whitelisted
http_access deny !proxy_email_access !proxy_full_access
!domains_whitelisted lists_mail_dom
http_access deny !proxy_hr_access !proxy_full_access lists_job_dom
http_access allow proxy_mudak_access
http_access deny method_connect !ports_connect
http_access deny !ports_allowed
http_access allow all

deny_info https://support.domain.ru/pass_change proxy_no_access_expired

### Other parameters ###
access_log stdio:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none

logfile_rotate 90
mime_table /etc/squid/mime.conf

request_header_max_size 20 KB
request_body_max_size 0 KB

via on

shutdown_lifetime 3 seconds
Received on Tue Jul 15 2014 - 13:56:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 15 2014 - 12:00:08 MDT