Re: [squid-users] problem in opening specific website
Hi, At 06.41 16/11/2005, Jigar Raval wrote: Hello, I have configured Squid proxy server. It works fine. But since last few days, I am facing one problem for opening the below website http://www.cost723.org I could open it successfully from other network (Without Proxy).But While trying to open behind proxy, it says time out, Remote Host may be down etc.. What could be the reason ? May be that ECN is enabled on your proxy ? Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] How to block shoutcast streams?
Brent Clark wrote: ## Stop multimedia downloads ## acl useragent browser -i ^.*NSPlayer.* acl useragent browser -i ^.*player.* acl useragent browser -i ^.*Windows-Media-Player.* acl useragentq rep_mime_type ^.*video.* acl useragentq rep_mime_type ^.*audio.* http_access deny useragent http_access deny useragentq For future, you may want to try switching log_mime_hdrs off to on and then you will see the clients used in you access.log. So you're telling me that I have to switch log_mime_hdrs to on to have your ACLs working, right? But, doesn't this measure make the logs grow very large? I actually have daily logs ranging from 30 MB to over 50 MB. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] How to block shoutcast streams?
* On 16/11/05 09:04 +0100, Boniforti Flavio wrote: Brent Clark wrote: ## Stop multimedia downloads ## acl useragent browser -i ^.*NSPlayer.* acl useragent browser -i ^.*player.* acl useragent browser -i ^.*Windows-Media-Player.* acl useragentq rep_mime_type ^.*video.* acl useragentq rep_mime_type ^.*audio.* http_access deny useragent http_access deny useragentq For future, you may want to try switching log_mime_hdrs off to on and then you will see the clients used in you access.log. So you're telling me that I have to switch log_mime_hdrs to on to have your ACLs working, right? But, doesn't this measure make the logs grow very large? I actually have daily logs ranging from 30 MB to over 50 MB. He said that it will allow you to see the clients used in you access.log, not that you need that for the rules to work ;) And yes, if you enable that option, log file size will increase. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ One man's theology is another man's belly laugh.
[squid-users] Squid and trasparent auth with PDC
Hi everybody, I use Squid, and my customer would he like authenticating the users, that useas Squid, via Primary Domain Controler (Active Directory). In this moment I use the supported Squid program msntauth: the user contact Squid that open the pop-up, the user e password are verifyed by the PDC (Squid knows the PDC ip address and send it the credential for the authentication. But my customer don't wont use everytime the pop-up (when I close the I.E. and open, the pop-up... !!). Answere: Can I authenticating my customer's users via PDC/Active Directory in transparent mode, without the pop-up ? Thank You. Marco
RE: [squid-users] Squid and trasparent auth with PDC
yes you can with this program : auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes but your proxy must join your AD domain. See this excellent doc : http://web.irtnog.org/howtos-orig/freebsd-winbind Regards, -Message d'origine- De : Spada Marco [mailto:[EMAIL PROTECTED] Envoyé : mercredi 16 novembre 2005 09:55 À : squid-users@squid-cache.org Objet : [squid-users] Squid and trasparent auth with PDC Hi everybody, I use Squid, and my customer would he like authenticating the users, that useas Squid, via Primary Domain Controler (Active Directory). In this moment I use the supported Squid program msntauth: the user contact Squid that open the pop-up, the user e password are verifyed by the PDC (Squid knows the PDC ip address and send it the credential for the authentication. But my customer don't wont use everytime the pop-up (when I close the I.E. and open, the pop-up... !!). Answere: Can I authenticating my customer's users via PDC/Active Directory in transparent mode, without the pop-up ? Thank You. Marco
Re: [squid-users] max resource usgae
On 15.11 14:08, Houssam Melhem wrote: I have 10 SCSI Hard disks each 73GB and 8GB of RAM I suppose you have 64bit CPU and OS... PID USER PR NI VIRT RES SHR S%CPU %MEMTIME+ COMMAND 17962 squid 18 0 2836m 2.3g 3664 R 97.6 28.9 4035:06 squid ...looks so I configured squid to use 28 GB on each cache_mem 512 MB cache_dir aufs /cache1/ 28000 32 256 cache_dir aufs /cache2/ 28000 32 256 cache_dir aufs /cache3/ 28000 32 256 cache_dir aufs /cache4/ 28000 32 256 cache_dir aufs /cache5/ 28000 32 256 cache_dir aufs /cache6/ 28000 32 256 cache_dir aufs /cache7/ 28000 32 256 cache_dir aufs /cache8/ 28000 32 256 cache_dir aufs /cache9/ 28000 32 256 cache_dir aufs /cache10/ 28000 32 256 I'd use '64 256' When I increase ecach cache dir size squid process takes more memory and cpu becomes more busy, this leads to a full system crash (not immediatelly but after a while more than 5 days), I could not figure out the real source of this crash bu it is a kernel panic and the squid process ID is mentioned in the error messages on screen the full system crash will probably be problem of your OS or bad HW. OS should not crash unless you have bad hardware. What errors are displayed when crash happens? Can I take advantage of the remaining disk space on each Hard Disk? Do I need more RAM? Or squid just can not handle this big amount of Resoures (HD and RAM)? Have you read Squid FAQ, the part about memory usage? That should explain much to you. http://www.squid-cache.org/Doc/FAQ/FAQ-8.html I think you can safely use 50GB on each cache_dir, files up to 64MB (with LFUDA replacement policy) and squid should fit to 8GB of memory w/o any problem. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
[squid-users] proxy_auth acl causing challenge loop
After upgrading Fedora Core 3 to Fedora Core 4, my squid setup was upgraded from 2.5.STABLE6 to 2.5.STABLE11. I'm using ntlm authentication using winbindd, using group membership in Active Directory to split users into groups who have full, limited or no access to the Internet. Because of ntlm, most users don't even realize they are using authentication to access resources on the Internet. Until now. Users who are denied access because of a proxy_auth ACL now are rechallenged endlessly, allowing them to authenticate differently, instead of just getting an access denied message based on their current credentials. Going through the mailing list archives, I can only find one reference to this issue, namely someone asking for this new type of behaviour, arguing this is the way MS ISA behaves. Well, I really prefer the old behaviour, so I hope the behaviour is not hardcoded, but configurable. Is it? Thanks, Pim
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On 15.11 17:51, H wrote: since v.12 squid empties without any reason the cache_dirs from time to time does it remove whole cache_dir content? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: [squid-users] proxy_auth acl causing challenge loop
On Wed, 16 Nov 2005, Pim Zandbergen wrote: Well, I really prefer the old behaviour, so I hope the behaviour is not hardcoded, but configurable. It's not hardcoded, instead it is dependent on how your http_access rules are constructed. Squid prompts for login credentials if the user is denied access by an authentication related acl (proxy_auth, proxyauth_regex, external using %LOGIN). http_access deny someacl authacl prompts for new credentials if matched (denied by authacl) http_access deny authacl someacl does nor prompt for new credentials (denied by someacl) Regards Henrik
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On Wednesday 16 November 2005 07:38, Matus UHLAR - fantomas wrote: On 15.11 17:51, H wrote: since v.12 squid empties without any reason the cache_dirs from time to time does it remove whole cache_dir content? Yes, after that it fills them up again normally . H A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
[squid-users] CPU saturation?
A question to the floor. We are running squid 2.5STABLE3 and have a non-caching setup including the following configuration statements: snip cache_dir null /dev/null acl all src 0.0.0.0/0.0.0.0 no_cache deny all ident_lookup_access deny all request_timeout 1 minute connect_timeout 1 minute fqdncache_size 2048 pipeline_prefetch on half_closed_clients off client_persistent_connections off server_persistent_connections off /snip With approximately 3000 open file descriptors (configured at compile time and set at runtime with ulimit -HSn 16384) and an equivalent no. of client/server TCP connections we see a constant CPU usage of ~95-100%. Is this normal!? The hardware is as follows: Dual Intel(R) Xeon(TM) CPU 3.20GHz (Linux of course manages the CPU affinity as we know squid isn't multi-threaded) 6G of memory Disk stats shouldn't matter as we aren't caching. If this is not normal do we need to upgrade to patch a known bug that I have failed to find amongst all the squid resources on the NET? Any help would be appreciated. Regards, Jim Vanns -- James Vanns BSc (Hons) MCP Canterbury Christ Church University Senior Systems Programmer (Linux / C C++) Encryption Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x3B09EE224A653EA9 Signature Verification Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x47FF170724959054
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On Tue, 15 Nov 2005, H wrote: I know of eventual related bug reports but I have lots of servers which run a certain time and suddenly without any reason they start emptying the cache_dirs. the server is up for weeks squid was not restarted and did not crash Any relevant messages in cache.log? Regards Henrik
Re: [squid-users] Too few authenticator processes are running
On Mon, 14 Nov 2005, Matt Alexander wrote: In the cache.log, we get squid restarting about once a minute: (squid_ldap_auth): error.c:221: ldap_parse_result: Assertion `r != ((void *)0)' failed. Your LDAP library is very unhappy about something in the response from your LDAP server. Hmmm... using tcpdump/ethereal, I get this error: W80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 No idea, but googling for the same message gives some clues: http://forums.devshed.com/archive/t-203331/Active-Directory-Microsoft-LDAP-SDK-Problem-with-ldapbinds http://www.codecomments.com/archive408-2005-5-499111.html http://www.directory-info.com/LDAP/LDAPErrorCodes.html Seems this is Microsofts method of saying that the login failed, where most others simply returns Invalid credentials. Suggestions: a) Upgrade to a more current OpenLDAP release b) Upgrade to a more current Squid version. A lot has happened to squid_ldap_auth and Squid in the 3.5 years since 2.4.STABLE1 was released. Regards Henrik
Re: [squid-users] CPU saturation?
On Wednesday 16 November 2005 13:21, James Vanns wrote: A question to the floor. We are running squid 2.5STABLE3 and have a non-caching setup including the following configuration statements: snip cache_dir null /dev/null acl all src 0.0.0.0/0.0.0.0 no_cache deny all ident_lookup_access deny all request_timeout 1 minute connect_timeout 1 minute fqdncache_size 2048 pipeline_prefetch on half_closed_clients off client_persistent_connections off server_persistent_connections off /snip With approximately 3000 open file descriptors (configured at compile time and set at runtime with ulimit -HSn 16384) and an equivalent no. of client/server TCP connections we see a constant CPU usage of ~95-100%. Is this normal!? The hardware is as follows: I don't think so. Try strace and ltrace on running squid. Dual Intel(R) Xeon(TM) CPU 3.20GHz (Linux of course manages the CPU affinity as we know squid isn't multi-threaded) 6G of memory IIUC one squid will load only one CPU, how do you get 95-100% load on both? -- vda
Re: [squid-users] CPU saturation?
snip With approximately 3000 open file descriptors (configured at compile time and set at runtime with ulimit -HSn 16384) and an equivalent no. of client/server TCP connections we see a constant CPU usage of ~95-100%. Is this normal!? The hardware is as follows: I don't think so. Try strace and ltrace on running squid. Yeah I have actually run squid through strace and the only alarming thing is the huge amount of bind() calls on 0.0.0.0 and port htons (0). And by huge amount I mean practically every lookup (I guess somehow this is related to the internal DNS lookups). Surely you don't need to call bind() for every query!? Or am I missing something here? Admittedly I didn't spend much time analysing the strace output. Dual Intel(R) Xeon(TM) CPU 3.20GHz (Linux of course manages the CPU affinity as we know squid isn't multi-threaded) 6G of memory IIUC one squid will load only one CPU, how do you get 95-100% load on both? You misunderstand (I think). That percentage I gave was per CPU e.g. 95-100% usage on CPU0 not across all (0-3) processors. Jim -- vda -- James Vanns BSc (Hons) MCP Canterbury Christ Church University Senior Systems Programmer (Linux / C C++) Encryption Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x3B09EE224A653EA9 Signature Verification Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x47FF170724959054 -- James Vanns BSc (Hons) MCP Canterbury Christ Church University Senior Systems Programmer (Linux / C C++) Encryption Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x3B09EE224A653EA9 Signature Verification Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x47FF170724959054
Re: [squid-users] CPU saturation?
On Wed, 2005-11-16 at 12:41 +, James Vanns wrote: snip With approximately 3000 open file descriptors (configured at compile time and set at runtime with ulimit -HSn 16384) and an equivalent no. of client/server TCP connections we see a constant CPU usage of ~95-100%. Is this normal!? The hardware is as follows: I don't think so. Try strace and ltrace on running squid. Yeah I have actually run squid through strace and the only alarming thing is the huge amount of bind() calls on 0.0.0.0 and port htons (0). And by huge amount I mean practically every lookup (I guess somehow this is related to the internal DNS lookups). Sorry I should have said 'squid's internal resolver' to avoid confusion ;) Surely you don't need to call bind() for every query!? Or am I missing something here? Admittedly I didn't spend much time analysing the strace output. Dual Intel(R) Xeon(TM) CPU 3.20GHz (Linux of course manages the CPU affinity as we know squid isn't multi-threaded) 6G of memory IIUC one squid will load only one CPU, how do you get 95-100% load on both? You misunderstand (I think). That percentage I gave was per CPU e.g. 95-100% usage on CPU0 not across all (0-3) processors. Jim -- vda -- James Vanns BSc (Hons) MCP Canterbury Christ Church University Senior Systems Programmer (Linux / C C++) Encryption Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x3B09EE224A653EA9 Signature Verification Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x47FF170724959054 -- James Vanns BSc (Hons) MCP Canterbury Christ Church University Senior Systems Programmer (Linux / C C++) Encryption Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x3B09EE224A653EA9 Signature Verification Key: http://keys.se.linux.org/pks/lookup?op=getsearch=0x47FF170724959054
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On Wednesday 16 November 2005 10:04, Henrik Nordstrom wrote: Any relevant messages in cache.log? on the servers I do not log at all so I am sorry about not having anything more usefull since the server itself and the squid process did not die I didn't get a trap either to look in time H. A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On Wed, 16 Nov 2005, H wrote: on the servers I do not log at all so I am sorry about not having anything more usefull since the server itself and the squid process did not die I didn't get a trap either to look in time So it is entirely possible the Squid process restarted itself for some reason, loosing it's swap.state content in the process (double crash)? I'd recommend you to as first action enable the cache.log logfile again. Without this there is not much traces to go on for determining what happened why or when. Regards Henrik
RE: [squid-users] which user is using max bandwidth
Take a look at SARG for squid reporting on the access.log -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 15, 2005 11:24 PM To: squid-users@squid-cache.org Subject: [squid-users] which user is using max bandwidth Hi, I am a novice in squid. Can someone please tell me how to find out which of my user is using how much bandwidth . Also how to find out who is visiting which site. Regards Gaurav Duggal.
RE: [squid-users] which user is using max bandwidth
Hello Sarg or Webaliser are probably what you are looking for Gix Lilian -Original Message- From: Jason Staudenmayer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. November 2005 15:05 To: squid-users@squid-cache.org Subject: RE: [squid-users] which user is using max bandwidth Take a look at SARG for squid reporting on the access.log -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 15, 2005 11:24 PM To: squid-users@squid-cache.org Subject: [squid-users] which user is using max bandwidth Hi, I am a novice in squid. Can someone please tell me how to find out which of my user is using how much bandwidth . Also how to find out who is visiting which site. Regards Gaurav Duggal.
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On Wednesday 16 November 2005 11:29, Henrik Nordstrom wrote: On Wed, 16 Nov 2005, H wrote: on the servers I do not log at all so I am sorry about not having anything more usefull since the server itself and the squid process did not die I didn't get a trap either to look in time So it is entirely possible the Squid process restarted itself for some reason, loosing it's swap.state content in the process (double crash)? no is not, we monitor this and if so the memory use would have been gone down, also the process age would be similare to the time when the cache emptied but diskd and squid process are same age as server is up H. A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
Re: [squid-users] CPU saturation?
On Wednesday 16 November 2005 12:34, Denis Vlasenko wrote: # DONT! This incurs reverse DNS lookup if you supplied numeric IP # (and 5 min (!!!) timeout if that IP does not have reverse DNS set up) #acl adsdstdomain 81.222.128.3 www.linkexchange.ru ad0.bigmir.net bbn.img.com.ua sorry I do not understand this, could you explain it better? but let me ask first, how are this not numeric IPs? H. A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
Re: Fw: [squid-users] Re: squid_ldap_auth and Windows 2003 AD
Hi Colin, At 15.58 16/11/2005, Colin Farley wrote: Thanks for the more detailed explanation. I gave this a try and it solved the problem. It's funny how Microsoft can't even get their documentation right. I guess I should have been suspicious when I saw that the article said Windows 2000 allows anonymous searches. Anyway, thanks again. A good news. May be that they are using anonymous for everyone that is connecting from a machine that is not a domain member. If this is true, running the Windows version of squid_ldap_auth on a Windows machine domain member should work without changing anything in Active Directory. When possible, I will do some test. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] CPU saturation?
On Wednesday 16 November 2005 17:02, H wrote: On Wednesday 16 November 2005 12:34, Denis Vlasenko wrote: # DONT! This incurs reverse DNS lookup if you supplied numeric IP # (and 5 min (!!!) timeout if that IP does not have reverse DNS set up) #acl adsdstdomain 81.222.128.3 www.linkexchange.ru ad0.bigmir.net bbn.img.com.ua sorry I do not understand this, could you explain it better? do not use dstdomain acl, or else be prepared to wait 5 minutes when you are trying to open http://11.22.33.44/ and 11.22.33.44 has no reverse DNS mapping (because squid wants to know domain name in order to do dstdomain comparison) but let me ask first, how are this not numeric IPs? ?! -- vda
Re: [squid-users] squid deletes cache_dir objects randomly - is there no solution?
On 16.11 07:13, H wrote: On Wednesday 16 November 2005 07:38, Matus UHLAR - fantomas wrote: On 15.11 17:51, H wrote: since v.12 squid empties without any reason the cache_dirs from time to time does it remove whole cache_dir content? Yes, after that it fills them up again normally . don't you rotate cache_swap.log somewhere? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
[squid-users] Re: Squid LDAP Digest
On Wed, 16 Nov 2005, Winfried Kuiper wrote: from http://www.squid-cache.org/mail-archive/squid-dev/200506/0031.html I know, there is a new digest authentication helper with ldap extension. Yes. So, is it now possible to make a secure communication between both, a) client-squidserver and b) squidserver-ldapserver? Sort of. We want to use a secure authentication (I like digest more than NTLM) at the squid proxy server for our students over WLAN. The proxy server then should be able to talk on a secure way to the Windows LDAP Server. Only works if you are willing to add a Digest HA1 attribute to each user having the Digest hashed password, or if you manage to provide Squid access to the plain text passwords stored in the directory. Neither is normally there in an ADS tree. But I don't like this solution, because I have to join the ADS tree. There are often problems in the ADS tree and I don't want to become a member of it. Your choice. Is the authentication helper found under http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid3/helpers/digest_auth/pas sword/ the solution for my problem? It is the helper you speak of above. But it does NOT allow Digest authentication to the Windows ADS passwords. Do you know another solution for me? My recommendation at the moment is to go for NTLM. Can I use it with squid-2.5.STABLE6-6.15? Yes, if you trust the Digest implementation there.. Where can I find more documentation for your new digest authentication helper? There is a man page included in the distribution, documenting most options. But you have to remember that this helper requires either a) Access to plain-text stored passwords or b) Access to pre-hashed Digest HA1 hashes of the users passwords. neither is normally stored in ADS. It is possible to configure ADS to store Reversibly encrypted passwords, and is a requirement for Microsoft Digest implementation. This however can not be used by Squid at this time due to lack of information from Microsoft on how to integrate Digest with ADS in a sensible manner. Do you know a good book about squid and authentication helper? The Squid book has some information. Not very much on Digest however. Regards Henrik
RE: [squid-users] CPU saturation?
-Original Message- From: James Vanns [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 3:49 AM To: squid-users@squid-cache.org Cc: Paul Mills ([EMAIL PROTECTED]); Benjamin Tanner Subject: Re: [squid-users] CPU saturation? On Wed, 2005-11-16 at 12:41 +, James Vanns wrote: snip With approximately 3000 open file descriptors (configured at compile time and set at runtime with ulimit -HSn 16384) and an equivalent no. of client/server TCP connections we see a constant CPU usage of ~95-100%. Is this normal!? The hardware is as follows: I don't think so. Try strace and ltrace on running squid. Yeah I have actually run squid through strace and the only alarming thing is the huge amount of bind() calls on 0.0.0.0 and port htons (0). And by huge amount I mean practically every lookup (I guess somehow this is related to the internal DNS lookups). Sorry I should have said 'squid's internal resolver' to avoid confusion ;) Surely you don't need to call bind() for every query!? Or am I missing something here? Admittedly I didn't spend much time analysing the strace output. Dual Intel(R) Xeon(TM) CPU 3.20GHz (Linux of course manages the CPU affinity as we know squid isn't multi-threaded) 6G of memory IIUC one squid will load only one CPU, how do you get 95-100% load on both? You misunderstand (I think). That percentage I gave was per CPU e.g. 95-100% usage on CPU0 not across all (0-3) processors. Jim -- vda -- I know that it's not officially supported, I don't know how hard it would be to patch 2.5STABLE3, but the epoll patch (http://devel.squid-cache.org/projects.html#epoll) did absolute wonders for my CPU utilization on Linux (from about 75% average down to less than 20% peak). For what it's worth, here are some statistics from someone who took the time to do some comparison testing: http://www.squid-cache.org/mail-archive/squid-users/200504/0422.html Henrik Nordstrom (one of the Squid Devs) has stated that epoll support might reduce CPU usage when there is many open filedescriptors (http://www.squid-cache.org/mail-archive/squid-users/200509/0244.html). It's been stable as a rock for me for the time I've been using it (~24 days). Vital stats: about 100 req/s peak, 1500 kBytes/s peak using 2.5STABLE11 on Centos 4.1. For me this works out to about 500 open file descriptors. There are two squid instances on this box (to take advantage of dual CPUs - Intel Xeon 3.00GHz), and the stated stats are per-instance. On another note, with null caching, and multiple CPUs running more than one instance of squid becomes a fair bit easier. See http://squidwiki.kinkie.it/squidwiki/MultipleInstances for more details. Chris
[squid-users] New Squid Install
Hello! Do I need to worry about modifying message queues http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.1 if I will be using the diskd file system. I am using new hardware (3GB RAM 3.2 GHZ Xeon, 15K Drives) for a new install of Squid. If so how do you go about balancing the correct numbers to use without putting the system in to production and using trial and error. Is there some kind of computation I can use? Thanks in advance
