[squid-users] Still having some slowness

From: Scott Mayo <scotgmayo_at_gmail.com>
Date: Fri, 14 Feb 2014 09:03:07 -0600

Finally got my new server with a newer version of squid on it up and
going. I am still having a few slowness issues. Trying to decide
exactly what it is. I'll know a bit more as the day goes along.
Right now I have disabled the icap service to take it out of the way.
Here are a few statistics and my squid.conf if someone has a
suggestion.

Squid server is:
i3-2100 @ 3.10GHz with 4 cores
8GB Ram
160GB HDD
Centos 6.5
Squid 3.1
Private NIC is a 1Gb NIC
Public NIC is a 100Mb NIC
Internet connection is 20Mbps

I probably have a total of 150 users on at once maybe.

Sometimes I get a "Unable to connect to Proxy" when students all get
to class and start logging on. If they hit refresh a time or two,
then they will be prompted for authentication. Sometimes it is quite
slow to pull up a website (5-30 seconds).

I have watched 'top' and basically all CPUs are usuallly around 0.3 to
0.7 percent. I have seen them get up to 2.0 to 5.0 percent, but
nothign extremely bad. I usually have around 5Gb-5.5Gb of memory free
and I don't ever see any swap used. Load averages are around 0.0.2,
0.0.1, 0.0.0

Below is my squid.conf if anyone has any suggestions of someting that
may be slowing things down. At this point I am a bit lost since I
have the icap turned off. Those files that have domains in them are
not too big. Probably nothing more than 50 domains in any one file
and maybe a total of a couple hundred.

Thanks.

icap_enable off
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod

#use for LDAP authentication
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
"dc=school,dc=org" -f "uid=%s" -h 192.168.0.250
external_acl_type teachers %LOGIN /usr/lib64/squid/squid_ldap_group -b
"dc=school,dc=org" -f "(&(cn=%g)(MemberUid=%u))" -h 192.168.0.250
auth_param basic children 40 startup=5 idle=10 concurrency=150
auth_param basic credentialsttl 9 hours
acl ldap_username proxy_auth REQUIRED

visible_hostname filter
cache_mem 256 MB

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl qlproxy_icap_edomains dstdomain
"/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type
"/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"
acl bps_exceptions dstdomain "/filter/urls/ok/domains"
acl teacher_group external teachers teacher
acl teacher_exception_list dstdomain "/filter/urls/teacher/exceptionsitelist"
acl no_cache_sites dstdomain "/filter/urls/no_cache_sites"
acl safe_url_sites dstdomain "/filter/urls/safe_url_sites"
acl walsworth_sites dstdomain "/filter/urls/walsworth_sites"
acl bpsblocked dstdomain "/filter/urls/blocked/domains"
acl banned_users proxy_auth baduser
acl windows_update dstdomain .windowsupdate.com .microsoft.com

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
adaptation_access qlproxy2 deny bps_exceptions
adaptation_access qlproxy1 deny bps_exceptions
adaptation_access qlproxy1 deny safe_url_sites
adaptation_access qlproxy2 deny safe_url_sites
adaptation_access qlproxy1 deny walsworth_sites
adaptation_access qlproxy2 deny walsworth_sites
adaptation_access qlproxy1 deny teacher_exception_list teacher_group
adaptation_access qlproxy2 deny teacher_exception_list teacher_group
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

http_access allow manager localhost
http_access deny manager

cache deny no_cache_sites
cache deny walsworth_sites

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow bps_exceptions
http_access allow windows_update
http_access deny bpsblocked !teacher_group
http_access deny banned_users
http_access allow localnet
http_access allow ldap_username
http_access allow localhost

http_access deny all

http_port 8080

hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/spool/squid 10000 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

-- 
Scott Mayo
Received on Fri Feb 14 2014 - 15:03:17 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 14 2014 - 12:00:04 MST