Re: [squid-users] Can cache_peer be localhost?

[Yuri]

18.02.2018 01:13, Matus UHLAR - fantomas пишет:
> On 18.02.18 00:05, Yuri wrote:
>> May be, assumed to forwarding to parent proxy(-es)?
>
> according to original post, it's different port configured on the same
> squid
> instance.
Ewww. it seems like looping.
>
>> 17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
> forever.
>>>
>>> On 17.02.18 10:45, Peng Yu wrote:
 Is there a way to configure squid so that anything goes to 3128 will
 directly go outside of the machine instead of going back to 3128
 again, yet still let 3129 be forwarded to the local 3128 in the
 round-robin fashion?
>>>
>>> what is the point to send the request to itself?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can cache_peer be localhost?

[Matus UHLAR - fantomas]

On 18.02.18 00:05, Yuri wrote:

May be, assumed to forwarding to parent proxy(-es)?


according to original post, it's different port configured on the same squid
instance.


17.02.2018 23:22, Matus UHLAR - fantomas пишет:

 client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
forever.


On 17.02.18 10:45, Peng Yu wrote:

Is there a way to configure squid so that anything goes to 3128 will
directly go outside of the machine instead of going back to 3128
again, yet still let 3129 be forwarded to the local 3128 in the
round-robin fashion?


what is the point to send the request to itself?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can cache_peer be localhost?

[Yuri]

May be, assumed to forwarding to parent proxy(-es)?


17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>> forever.
>
> On 17.02.18 10:45, Peng Yu wrote:
>> Is there a way to configure squid so that anything goes to 3128 will
>> directly go outside of the machine instead of going back to 3128
>> again, yet still let 3129 be forwarded to the local 3128 in the
>> round-robin fashion?
>
> what is the point to send the request to itself?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Forward proxy: TLS connections to server

[Yuri]

IM, which is uses HTTP-similar sessions bootstrap, requires special
investigation and custom configuration in case of goes via forwarding proxy.


17.02.2018 22:58, ninadmnaik пишет:
> Thanks for the quick reply Yuri. 
>
> "Note that these are not 'https' requests. Just plain socket connections."
> Maybe this wasn't statement wasn't entirely correct. We are using the
> 'connect' method to talk to squid proxy. And squid proxy is able to connect
> to the remote xmpp server. It's just that the xmpp server supports TLS
If' we're talking about CONNECT method session initiation, it is
requires (in general) to specify additional ports on Squid, which is
permitted to use CONNECT method.

For example, in your case, port 1449.

Generally speaking, squid's default not assumes IM as clients, as by as
squid itself is not proxy for all and any protocols. So, it is requires
additional configuration for passing IM via proxy.
> connections only and thus further communication is not possible. 
>
> From the access logs:
> *1518880487.658   1449 127.0.0.1 TCP_TUNNEL/200 46 CONNECT
> fcm-xmpp.googleapis.com:5235 - HIER_DIRECT/2607:f8b0:4001:c0b::bc -
> *
>
> "Try to read https://wiki.squid-cache.org first."
> Yeah, we've been doing that and will investigate further. 
Indeed :)
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Forward proxy: TLS connections to server

[ninadmnaik]

Thanks for the quick reply Yuri. 

"Note that these are not 'https' requests. Just plain socket connections."
Maybe this wasn't statement wasn't entirely correct. We are using the
'connect' method to talk to squid proxy. And squid proxy is able to connect
to the remote xmpp server. It's just that the xmpp server supports TLS
connections only and thus further communication is not possible. 

From the access logs:
*1518880487.658   1449 127.0.0.1 TCP_TUNNEL/200 46 CONNECT
fcm-xmpp.googleapis.com:5235 - HIER_DIRECT/2607:f8b0:4001:c0b::bc -
*

"Try to read https://wiki.squid-cache.org first."
Yeah, we've been doing that and will investigate further. 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can cache_peer be localhost?

[Peng Yu]

>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever.

Is there a way to configure squid so that anything goes to 3128 will
directly go outside of the machine instead of going back to 3128
again, yet still let 3129 be forwarded to the local 3128 in the
round-robin fashion?

-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Forward proxy: TLS connections to server

[Yuri]

17.02.2018 21:44, ninadmnaik пишет:
> Hello, 
> We need to communicate with a xmpp server over TLS connections. Now, we know
> that our app can open a TLS connection to Squid. But can Squid initiate a
> TLS connection to the xmpp server? 
Only if it goes over HTTP/HTTPS port. With some difficults and often
require special configuration.
>
> Our App (TLS socket connection)---> Squid (Can this be TLS
> connection?)> XMPP server
>
> If it's possible, how to go about setting up squid for this? 
>
> Would 'ssl-bump' feature be the way to go? 
May be yes, may be no. Depends from previous. And not ssl-bump. Let's
say - peek-and-splice, and most probably splice rather than bump.
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
>
> Note that these are not 'https' requests. Just plain socket connections. 
Squid is not sockets proxy. It's HTTP/HTTPS/FTP proxy only.
>
> Please point us in the right direction. 
Try to read https://wiki.squid-cache.org first.
> Thanks. 
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Forward proxy: TLS connections to server

[ninadmnaik]

Hello, 
We need to communicate with a xmpp server over TLS connections. Now, we know
that our app can open a TLS connection to Squid. But can Squid initiate a
TLS connection to the xmpp server? 

Our App (TLS socket connection)---> Squid (Can this be TLS
connection?)> XMPP server

If it's possible, how to go about setting up squid for this? 

Would 'ssl-bump' feature be the way to go? 
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html

Note that these are not 'https' requests. Just plain socket connections. 

Please point us in the right direction. 
Thanks. 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[Amos Jeffries]

On 18/02/18 03:10, Amos Jeffries wrote:
> 
> On 18/02/18 02:39, chiasa.men wrote:
>>
>> I could solve the "no ciphers available" by appending
>> "TLS13-AES-256-GCM-SHA384" to the ciphers.
>>
>> But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384"
>>
>> Why is that cipher relevant if its not used?
>>
> 
> The squid.conf cipher= are just strings passed to the OpenSSL library to
> interpret.
> 
> It is probably that "TLS13-AES-256-GCM-SHA384" is what your new library
> calls "ECDHE-ECDSA-AES256-GCM-SHA384".
> 

This seems to confirm the change:



"The new ciphersuites are defined differently and do not specify the
certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism
(e.g. DHE or ECHDE). This has implications for ciphersuite configuration."


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid -k rec , seems has problem with ram leakage ?

[Amos Jeffries]

On 18/02/18 02:38, --Ahmad-- wrote:
> Hi Amos , 
> 
> so you mean that the extra Ram usage is from the instance when it loaded
> with traffic ?

Probably. It is small enough in size to be from that. Detailed
inspection is necessary to know for sure.


> 
> will that stay even if i have cache men 0 and  and cache deny all 
> and disabling all HDD caching ?

Yes. Memory of various amounts is required simply to process traffic.


> 
> is there anything can i do ?
> 
> or leave it s it is ?
> 

If you are worried you can look into the details I mentioned.

I would try to ensure that you staggered the instance reconfiguring so
that they at least did not all do it at the same time. There is extra
memory and pausing of traffic during reconfigure.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[Amos Jeffries]

On 18/02/18 02:39, chiasa.men wrote:
> 
> I could solve the "no ciphers available" by appending
> "TLS13-AES-256-GCM-SHA384" to the ciphers.
> 
> But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384"
> 
> Why is that cipher relevant if its not used?
> 

The squid.conf cipher= are just strings passed to the OpenSSL library to
interpret.

It is probably that "TLS13-AES-256-GCM-SHA384" is what your new library
calls "ECDHE-ECDSA-AES256-GCM-SHA384".

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[Amos Jeffries]

On 13/02/18 02:29, chiasa.men wrote:
> Hi I tried squid4.
> 
> Squid Cache: Version 4.0.23 
> This binary uses OpenSSL 1.1.1-dev  xx XXX 
> 
> Before, I used:
> Squid Cache: Version 3.5.27 
> This binary uses OpenSSL 1.0.2g  1 Mar 2016
> 
> Some of the config directives changed:
> E.g.
> sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
> ->
> tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE 
> 
> But that results in version 4 in the follwing errors (cache.log)
> ERROR: Unknown TLS option SINGLE_DH_USE
> ERROR: Unknown TLS option SINGLE_ECDH_USE
> 
> (same error with the same options in https_proxy)
> 
> Is that a problem related to the openssl version change?

Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated
in OpenSSL 1.0.2f and that option enabled by default.
That means it *should* be available in all Squid using those libraries.

... but your 1.1.1-dev library appears to have had it removed entirely.

It is not listed as removed officially
()
so may be related to some build option used to create the library.


> 
> 
> In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
> certificates.crt explicitly (I used some self signed certificates for testing 
> - 
> but in Squid3 I didn't need to configure that)
> Otherwise I get: 
> (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> In the reference it's stated that:
>   tls-default-ca[=off]
>   Whether to use the system Trusted CAs. Default is ON.
> Shouldn't the tls-cafile option be unnecessary since it's trusted by default?
> 

Yes, unless the CA is not in the system default CAs for some reason.

Some well-known companies are not trusted because of bad behaviour
getting them kicked out of the globally trusted CA registry. It might
also be related to other things in your library build.

Hard to say what exactly is going wrong without looking into that
particular cert chain which is hitting the error.


> 
> 
> Furthermore I set Apache (the peer) to "SSLCipherSuite  ECDHE-ECDSA-AES256-
> GCM-SHA384"
> as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
> 
> ERROR: negotiating TLS on FD 20: error:141A90B5:SSL 
> routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
> 
> How can that be?
> 

Not sure. Is the handshake actually trying to negotiate that cipher
correctly? or is one endpoint deciding it cannot support it?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[chiasa.men]

Am Samstag, 17. Februar 2018, 14:28:04 CET schrieb chiasa.men:
> Am Montag, 12. Februar 2018, 14:29:09 CET schrieb chiasa.men:
> > Hi I tried squid4.
> > 
> > Squid Cache: Version 4.0.23
> > This binary uses OpenSSL 1.1.1-dev  xx XXX 
> > 
> > Before, I used:
> > Squid Cache: Version 3.5.27
> > This binary uses OpenSSL 1.0.2g  1 Mar 2016
> > 
> > Some of the config directives changed:
> > E.g.
> > sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
> > ->
> > tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE
> > 
> > But that results in version 4 in the follwing errors (cache.log)
> > ERROR: Unknown TLS option SINGLE_DH_USE
> > ERROR: Unknown TLS option SINGLE_ECDH_USE
> > 
> > (same error with the same options in https_proxy)
> > 
> > Is that a problem related to the openssl version change?
> > 
> > 
> > In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
> > certificates.crt explicitly (I used some self signed certificates for
> > testing - but in Squid3 I didn't need to configure that)
> > Otherwise I get:
> > (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> > 
> > In the reference it's stated that:
> > tls-default-ca[=off]
> > 
> > Whether to use the system Trusted CAs. Default is ON.
> > 
> > Shouldn't the tls-cafile option be unnecessary since it's trusted by
> > default?
> > 
> > 
> > 
> > Furthermore I set Apache (the peer) to "SSLCipherSuite 
> > ECDHE-ECDSA-AES256-
> > GCM-SHA384"
> > as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
> > 
> > ERROR: negotiating TLS on FD 20: error:141A90B5:SSL
> > routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
> > 
> > How can that be?
> > 
> > 
> > 
> > 
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> Any idea?

I could solve the "no ciphers available" by appending "TLS13-AES-256-GCM-
SHA384" to the ciphers.
But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384"
Why is that cipher relevant if its not used?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[chiasa.men]

Am Montag, 12. Februar 2018, 14:29:09 CET schrieb chiasa.men:
> Hi I tried squid4.
> 
> Squid Cache: Version 4.0.23
> This binary uses OpenSSL 1.1.1-dev  xx XXX 
> 
> Before, I used:
> Squid Cache: Version 3.5.27
> This binary uses OpenSSL 1.0.2g  1 Mar 2016
> 
> Some of the config directives changed:
> E.g.
> sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
> ->
> tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE
> 
> But that results in version 4 in the follwing errors (cache.log)
> ERROR: Unknown TLS option SINGLE_DH_USE
> ERROR: Unknown TLS option SINGLE_ECDH_USE
> 
> (same error with the same options in https_proxy)
> 
> Is that a problem related to the openssl version change?
> 
> 
> In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
> certificates.crt explicitly (I used some self signed certificates for
> testing - but in Squid3 I didn't need to configure that)
> Otherwise I get:
> (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> In the reference it's stated that:
>   tls-default-ca[=off]
>   Whether to use the system Trusted CAs. Default is ON.
> Shouldn't the tls-cafile option be unnecessary since it's trusted by
> default?
> 
> 
> 
> Furthermore I set Apache (the peer) to "SSLCipherSuite  ECDHE-ECDSA-AES256-
> GCM-SHA384"
> as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
> 
> ERROR: negotiating TLS on FD 20: error:141A90B5:SSL
> routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
> 
> How can that be?
> 
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Any idea?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid -k rec , seems has problem with ram leakage ?

[Amos Jeffries]

On 18/02/18 00:57, --Ahmad-- wrote:
> hi amos 
> 
> i didnt use the version 3.5.22
> 
>  but long time I’m using the 3.5.22 and its fine 
> 
> the new thing is I’m using like 100 squid instances .
> 
> and  hourly i have cron to change and update squid 
> 
> so i just make rec option instead of having session drop .
> 
> i don’t have exact mount of statistics to tell you 
> 
> but say i have 32 G ram 
> 
> if i run 100 squid instances it take about 16 G ram .

So that is the amount before much traffic has happened.

When traffic goes through the proxy Squid gains data which uses more
memory for at least all the purposes listed at
.


> 
> if i keep run the cron hourly by time say daily 12 times ( every 2 hours) 
> 
> and after 1 week i go to server to see free ram using :
> 
> free -m command
> 
> i see the free ram be like 5 G free , while I’m supposed to see the free
> as 16 G


+10GB for 100 instances means each is on average only using ~100 MB more
than you expected. This is also the net difference between when you
started the Squid and the peak traffic load within that whole week.

If you are not already graphing the memory usage I suggest you start
doing so and look at the graphs for patterns. They may show a different
story to what you (or I) are thinking is happening.


Also, Squid provides SNMP data for automated measurements if you want to
check the details rather than just the overall OS free measurement.

For example; comparing OID cacheMemUsage to cacheNumObjCount,
cacheClients and cacheCurrentFileDescrCnt shows roughly the relative
memory usage to each of the major dynamic memory consumers.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid -k rec , seems has problem with ram leakage ?

[--Ahmad--]

hi amos 

i didnt use the version 3.5.22

 but long time I’m using the 3.5.22 and its fine 

the new thing is I’m using like 100 squid instances .

and  hourly i have cron to change and update squid 

so i just make rec option instead of having session drop .

i don’t have exact mount of statistics to tell you 

but say i have 32 G ram 

if i run 100 squid instances it take about 16 G ram .

if i keep run the cron hourly by time say daily 12 times ( every 2 hours) 

and after 1 week i go to server to see free ram using :

free -m command

i see the free ram be like 5 G free , while I’m supposed to see the free as 16 G

if i kill all instances and run it again 
the free is 16 G


so as i said , by time , by doing many -k rec OPTINOS , there is something not 
ok either os or squid I’m not sure .

is there any tuning can i do in squid ?

or os ? I’m using centos 6 64 bits and may be option in sysctl to play with ?

here is my config file :
dns_nameservers 8.8.8.8
dns_v4_first off

http_port 203.164.132.2:${service_name}
include /root/X3/aclhalf${service_name}.conf
include /root/X3/tcphalf${service_name}.conf 
pid_filename /var/run/squid${service_name}.pid
cache_log /var/log/squid/${service_name}-cache.log
access_log  /var/log/squid/${service_name}-access.log
#
visible_hostname xyz
# Lockdown Procedures
auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_userX3
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# Add any of your own refresh_pattern entries above these.
#
###
#
cache_effective_user squid
cache_effective_group squid
##


> On Feb 17, 2018, at 11:38 AM, Amos Jeffries  wrote:
> 
>> 3.5.22

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to combine two proxies into one?

[Amos Jeffries]

On 17/02/18 14:37, Peng Yu wrote:
> On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries wrote:
>>
>> BUT, since neither of them was actually a reverse-proxy the answer of
>> how to merge a reverse-proxy and a forward-proxy would be quite different.
> 
> I finally figure a configure that works. localhost:3128 is forward to
> both server1:3128 and server2:3128. localhost:3129 directly goes to
> the external network. Let me know if there is anything wrong with it.
> 

see my response to your other thread where you asked why that config was
not actually working.

> Also, this only works for http. For https, localhost:3128 still
> directly goes to the external network. Do you know how to modify the
> following configuration to configure for https?
> 

For forward-proxy of HTTPS traffic (aka CONNECT messages) you need to
configure one of:

 nonheirarchical_direct off
or
  never_direct allow CONNECT

otherwise Squid performs the more efficient DIRECT routing for the tunnel.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid -k rec , seems has problem with ram leakage ?

[Amos Jeffries]

On 17/02/18 10:53, --Ahmad-- wrote:
> hey folks 
> 
> i have a Multi instances in squid and i run them and keep use(( -k rec))) 
> option 
> 

"rec" as in the first characters of the "-k reconfigure" option?

That will only update the running Squid with new config file settings.
Sometimes that can reduce memory, but if the issue is in anyway linked
to the OS report of "maximum _ever_ used" stats for each process, it
will not change a thing - usually make the number higher as Squid must
fork() twice as many helper processes for a reconfigure.


> but it seems after some hours i see ram keep increasing .
> 

numbers?

config file(s)?

> 
> i see ram better if i kill squid then run it  normally .
> 

Which resets everything related to memory and starts clean without any
of the OS and fork() related issues such as the one above.

> 
> but
> 
> 
>  ram keep sucked by squid if i use -k rec option 
> 
> I’m using squid Squid Cache: Version 3.5.22
> 

Does the same problem exist with 3.5.27 ?

PS. If you are using ssl-bump at all, make sure you have the Squid-3
workaround of "sslflags=NO_DEFAULT_CA" on every *_port line using
ssl-bump option to prevent openssl allocating vast amounts of useless
memory.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users