Re: [squid-users] Strange High CPU usage

From: Giulio Cervera <giulio.cervera@dont-contact.us>
Date: Mon, 22 Dec 2003 13:05:34 +0100

thank's again, and sorry for double post ( i have reach max size, just
removed all comments from squid.conf from previous mail )

We have some ACL, but this are needed to our network rules, can u think
upgrading cpu's can solve our problem?

our network is
2 proxy for FTP (with antivirus)
2 proxy for local LAN ( we have many remote site and just this 2 machine
have access to their firewall )
and this 4 proxy with squid, only for internet (there is no other
product running on it)
this is the full acl, i have also attached the full config

----------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Tunnel_ports port 443-499
acl Tunnel_no_src src 10.253.0.0/16
acl Tunnel_method method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http 2
acl Safe_ports port 21 # ftp
acl Safe_ports port 443-499 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl clients src 10.0.0.0/8
acl clients src 172.16.0.0/12
acl clients src 192.168.0.0/16
acl clients src 194.218.0.0/19
acl locallan dst 10.253.0.0/16
acl locallan dst 194.218.2.0/23
acl proxylan dst 10.253.16.0/27
acl allowed_peer src 10.253.16.1
acl allowed_peer src 10.253.16.2
acl allowed_peer src 10.253.16.3
acl allowed_peer src 10.253.16.4

acl siteallow_url url_regex -i ^.{3,4}://.*\.public\.rupa\.it
acl siteallow_dst dst 194.218.2.160/27
acl siteallow_dst dst 10.253.64.0/24
acl siteallow_dst dst 10.253.16.0/27

acl dangurl urlpath_regex -i \.id[aq]\?.{100,} # CodeRED
acl dangurl urlpath_regex -i /readme\.(eml|nws|exe) # NIMDA

acl mgmtlan src 10.253.0.0/23
acl FTP proto FTP

acl SITIRUPA dst 194.218.0.0/19
acl SITIRUPA dst 10.0.0.0/8
acl SITIRUPA dst 172.16.0.0/16

acl LLPPProxy src 10.136.1.206
acl LLPPsicoge dst 194.218.14.15

#SNMP ACL
acl SNMPallow src 127.0.0.1/32
acl SNMPallow src 10.253.0.0/16
acl snmppublic snmp_community edsaipa

http_access allow allowed_peer

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager mgmtlan
http_access deny manager

http_access deny to_localhost
http_access deny !Safe_ports
http_access deny dangurl

http_access deny Tunnel_method Tunnel_no_src !Tunnel_ports

http_access allow siteallow_url
http_access allow siteallow_dst
http_access deny locallan

http_access allow LLPPsicoge LLPPProxy
http_access deny LLPPsicoge

http_access allow clients

http_access deny all

http_reply_access allow all

icp_access allow allowed_peer
icp_access deny all

cache_peer_access 194.218.2.8 allow FTP
cache_peer_access 194.218.2.20 allow SITIRUPA
cache_peer_access 194.218.2.20 deny all
cache_peer_access 10.253.16.1 deny SITIRUPA
cache_peer_access 10.253.16.1 allow all
cache_peer_access 10.253.16.2 deny SITIRUPA
cache_peer_access 10.253.16.2 allow all
cache_peer_access 10.253.16.3 deny SITIRUPA
cache_peer_access 10.253.16.3 allow all
#cache_peer_access 10.253.16.4 deny SITIRUPA
#cache_peer_access 10.253.16.4 allow all

always_direct allow proxylan
always_direct deny FTP
always_direct deny SITIRUPA
always_direct deny all

never_direct deny proxylan
never_direct allow SITIRUPA

----------------------------------------------------------

Duane Wessels ha scritto:

>
>On Fri, 19 Dec 2003, Giulio Cervera wrote:
>
>
>
>>thank's for your reply:
>>
>>i'm monitoring median_select_fds
>>
>>this morning with 150req/sec
>>
>>select_loops = 280.262863/sec
>>select_fds = 1502.051748/sec
>>average_select_fd_period = 0.000660/fd
>>median_select_fds = 3.984375
>>
>>thin evening with 40req/sec
>>
>>select_loops = 383.217992/sec
>>select_fds = 457.205789/sec
>>average_select_fd_period = 0.001830/fd
>>median_select_fds = 0.000000
>>
>>
>
>I assume that you see high 99% usage at 150 req/sec, and
>"okay" CPU usage at 40 req/sec.
>
>>From the above numbers, it looks like the high CPU usage is not due to
>some stuck file descriptor.
>
>Was that the entire squid configuration that you sent? Or do you have some
>long ACL lists or something that could be causing the high CPU usage?
>
>Duane W.
>
>
>

-- 
*Giulio Cervera*
EDS PA SpA
Via Atanasio Soldati 80
00155 Roma (Italy)
tel: +39 06 22739 270
fax: +39 06 22739 233
e-mail: giulio.cervera@edspa.it <mailto:giulio.cervera@edspa.it>

Received on Mon Dec 22 2003 - 05:06:29 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:25 MST