RE: [squid-users] Performance Issues Using NTML

From: Scott Anctil <sanctil@dont-contact.us>
Date: Wed, 14 Nov 2007 12:19:13 -0500

Chris, Adrian and Amos, Thanks for your help CPU is now running 1% - 40%
average supporting 22,000 users.

Things seem to be running well for the most part. I have a two
additional concerns.

First my access.log file grows about 200 MB/Hr. This means I reach the
max file size of 2GB in about 10 hours. I know that I can rotate the
logs within the 10 hours to solve this but is there a better solution?

The second issue is disk IO. I am getting "squidaio_queue_request:
WARNING - Queue congestion" in the cache.log. I found a number of
articles that stated not to worry about them unless they are "flooding"
you cache.log.

I wouldn't say that they are "flooding" my log but I see one every few
minutes. However during peak times I am also seeing
"squidaio_queue_request: WARNING - Disk I/O overloading"

What is the best path to resolution for this issue?

Scott

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.net]
Sent: Friday, November 09, 2007 8:31 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Performance Issues Using NTML

Scott Anctil wrote:
> I have deployed a Squid server for a local school board to help with
> there ever increasing bandwidth issues. It is running Squid 2.6 Stable
> 16 under Ubuntu 7.10 server on a HP DL380. This server has 2GB of RAM,
2
> dual core 3.06 GHz processors and 288 GB of SAS 15k storage (RAID). I
am
> using NTLM authentication. We have only two schools running on it
> (300-500 concurrent connections) and the box is already running at
> 30-50% CPU consistently. The one time we tried all of the schools
> (1000-4000 concurrent connections) the box went to 100% CPU solid and
> users were dropping pages. I have been scouring the internet for
answers
> and have made a number of changes, none of which have helped. Should I
> not be expecting more out of this box? Here are the options I used to
> compile.
>

Assuming you mean 300-400 people using the cache, you should expect
more. Tips below...

> ./configure --with-maxfd=4096 --prefix=/usr/local/squid
> --enable-basic-auth-helpers="SMB" --enable-ntlm-auth-helpers="SMB"
> --enable-external-acl-helpers="wbinfo_group"
--enable-auth="basic,ntlm"
> --with-winbind-auth-challenge
>
> Here is my squid.conf
>
> #######################
> # Basic Configuration #
> #######################
>
> visible_hostname ***************
> http_port 3128
> cache_dir ufs /usr/local/squid/cache 50000 15 256
>

aufs is a better choice for a proxy that's going to be heavily used, but

I think it's going to require a recompile.

> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> tcp_outgoing_address 10.1.10.211
> append_domain *****************
> httpd_suppress_version_string on
> cache_effective_user squid
> authenticate_ttl 24 hours
> authenticate_ip_ttl 15 minutes
>
> #############
> # Log Files #
> #############
>
> cache_access_log /usr/local/squid/var/logs/access.log
> cache_log /usr/local/squid/var/logs/cache.log
> cache_store_log /usr/local/squid/var/logs/store.log
>

You might consider dumping the store log.

> ###################
> # Control Caching #
> ###################
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> refresh_pattern cgi-bin 1 20% 2
> refresh_pattern \.asp$ 1 20% 2
> refresh_pattern \.acgi$ 1 20% 2
> refresh_pattern \.cgi$ 1 20% 2
> refresh_pattern \.pl$ 1 20% 2
> refresh_pattern \.shtml$ 1 20% 2
> refresh_pattern \.php3$ 1 20% 2
> refresh_pattern \? 1 20% 2
> refresh_pattern \.gif$ 10080 90% 43200
> refresh_pattern \.jpg$ 10080 90% 43200
> refresh_pattern \.bom\.gov\.au 30 20% 120
> refresh_pattern \.html$ 480 50% 22160
> refresh_pattern \.htm$ 480 50% 22160
> refresh_pattern \.class$ 10080 90% 43200
> refresh_pattern \.zip$ 10080 90% 43200
> refresh_pattern \.jpeg$ 10080 90% 43200
> refresh_pattern \.mid$ 10080 90% 43200
> refresh_pattern \.shtml$ 480 50% 22160
> refresh_pattern \.exe$ 10080 90% 43200
> refresh_pattern \.thm$ 10080 90% 43200
> refresh_pattern \.wav$ 10080 90% 43200
> refresh_pattern \.txt$ 10080 90% 43200
> refresh_pattern \.cab$ 10080 90% 43200
> refresh_pattern \.au$ 10080 90% 43200
> refresh_pattern \.mov$ 10080 90% 43200
> refresh_pattern \.xbm$ 10080 90% 43200
> refresh_pattern \.ram$ 10080 90% 43200
> refresh_pattern \.avi$ 10080 90% 43200
> refresh_pattern \.chtml$ 480 50% 22160
> refresh_pattern \.thb$ 10080 90% 43200
> refresh_pattern \.dcr$ 10080 90% 43200
> refresh_pattern \.bmp$ 10080 90% 43200
> refresh_pattern \.phtml$ 480 50% 22160
> refresh_pattern \.mpg$ 10080 90% 43200
> refresh_pattern \.pdf$ 10080 90% 43200
> refresh_pattern \.art$ 10080 90% 43200
> refresh_pattern \.swf$ 10080 90% 43200
> refresh_pattern \.mp3$ 10080 90% 43200
> refresh_pattern \.ra$ 10080 90% 43200
> refresh_pattern \.spl$ 10080 90% 43200
> refresh_pattern \.viv$ 10080 90% 43200
> refresh_pattern \.doc$ 10080 90% 43200
> refresh_pattern \.gz$ 10080 90% 43200
> refresh_pattern \.Z$ 10080 90% 43200
> refresh_pattern \.tgz$ 10080 90% 43200
> refresh_pattern \.tar$ 10080 90% 43200
> refresh_pattern \.vrm$ 10080 90% 43200
> refresh_pattern \.vrml$ 10080 90% 43200
> refresh_pattern \.aif$ 10080 90% 43200
> refresh_pattern \.aifc$ 10080 90% 43200
> refresh_pattern \.aiff$ 10080 90% 43200
> refresh_pattern \.arj$ 10080 90% 43200
> refresh_pattern \.c$ 10080 90% 43200
> refresh_pattern \.cpt$ 10080 90% 43200
> refresh_pattern \.dir$ 10080 90% 43200
> refresh_pattern \.dxr$ 10080 90% 43200
> refresh_pattern \.hqx$ 10080 90% 43200
> refresh_pattern \.jpe$ 10080 90% 43200
> refresh_pattern \.lha$ 10080 90% 43200
> refresh_pattern \.lzh$ 10080 90% 43200
> refresh_pattern \.midi$ 10080 90% 43200
> refresh_pattern \.movie$ 10080 90% 43200
> refresh_pattern \.mp2$ 10080 90% 43200
> refresh_pattern \.mpe$ 10080 90% 43200
> refresh_pattern \.mpeg$ 10080 90% 43200
> refresh_pattern \.mpga$ 10080 90% 43200
> refresh_pattern \.pl$ 10080 90% 43200
> refresh_pattern \.ppt$ 10080 90% 43200
> refresh_pattern \.ps$ 10080 90% 43200
> refresh_pattern \.qt$ 10080 90% 43200
> refresh_pattern \.qtm$ 10080 90% 43200
> refresh_pattern \.ras$ 10080 90% 43200
> refresh_pattern \.sea$ 10080 90% 43200
> refresh_pattern \.sit$ 10080 90% 43200
> refresh_pattern \.tif$ 10080 90% 43200
> refresh_pattern \.tiff$ 10080 90% 43200
> refresh_pattern \.snd$ 10080 90% 43200
> refresh_pattern \.wrl$ 10080 90% 43200
> refresh_pattern ^ftp:// 480 60% 22160
> refresh_pattern ^gopher:// 30 20% 120
> refresh_pattern . 480 50% 22160
>
> acl post_requests method POST
> cache deny post_requests
>
> acl No_Cache_Sites url_regex "/usr/local/squid/etc/squid-no_cache.acl"
>

This could be the start of your problems. What does this file look
like? Can you use a dstdomain acl instead of the url_regex?

> no_cache deny No_Cache_Sites
>
> ##########################################
> # Enable the NTLM Authentication Program #
> ##########################################
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25
> auth_param ntlm children 25
> auth_param ntlm keep_alive on
>
> ########
> # ACLs #
> ########
>
> external_acl_type nt_group ttl=60 children=25 protocol=2.5 %LOGIN
> /usr/local/squid/libexec/wbinfo_group.pl
>

I don't think that the 24 hour authenticate_ttl is going to have any
effect on the caching of the results from this external_acl. How
quickly does someone who was put in the Student's group need to be
brought out? Could you up the ttl here to 300 (5 minutes)?

> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl Safe_Ports port 80
> acl Safe_Ports port 21
> acl Safe_Ports port 9080
> acl Safe_Ports port 812
> acl Safe_Ports port 9090
> acl Safe_Ports port 8090
> acl Safe_Ports port 9000
> acl Safe_Ports port 22
> acl Safe_Ports port 88
> acl Safe_Ports port 8000
> acl Safe_Ports port 8008
>
> acl SSL_Ports port 443
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl NTLMUsers proxy_auth REQUIRED
> acl Students external nt_group students
>
> acl Blocked_Sites url_regex "/usr/local/squid/etc/squid-block.acl"
> acl Bypass_Sites url_regex "/usr/local/squid/etc/squid-bypass.acl"
>

More regex. Perhaps some of these would be good candidates for
dstdomain as well.

> ##################
> # Control Access #
> ##################
>
> http_access allow Bypass_Sites
> http_access deny Blocked_Sites
> http_access deny SSL_Ports NTLMUsers Students
> http_access allow Safe_Ports NTLMUsers Students
> http_access deny NTLMUsers Students
> http_access allow NTLMUsers
>

Not performance related, but you probably want to swap the order of
these two blocks...

> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
>

As it stands now, you are allowing connections to non Safe_ports (and
allowing CONNECT to any port) if the destination is one of the
Bypass_Sites.

> http_access deny all
> icp_access allow all
>
> Help!
>
> Scott
> sanctil(at)wescotttech.com
>

I'd have to guess that it's the regex that's killing your performance.
See http://www.squid-cache.org/mail-archive/squid-users/200411/0179.html

for the schooling I received on the subject.

Chris
Received on Wed Nov 14 2007 - 10:19:52 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST