We have some ACL,
our network is 2 proxy for FTP (with antivirus) 2 proxy for local LAN ( we have many remote site and just this 2 machine have access to their firewall ) and this 4 proxy with squid, only for internet (there is no other product running on it) this is the full acl, i have also attached the full config
---------------------------------------------------------- hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Tunnel_ports port 443-499 acl Tunnel_no_src src 10.253.0.0/16 acl Tunnel_method method CONNECT acl Safe_ports port 80 # http acl Safe_ports port 81 # http 2 acl Safe_ports port 21 # ftp acl Safe_ports port 443-499 # https acl Safe_ports port 1025-65535 # unregistered ports acl clients src 10.0.0.0/8 acl clients src 172.16.0.0/12 acl clients src 192.168.0.0/16 acl clients src 194.218.0.0/19 acl locallan dst 10.253.0.0/16 acl locallan dst 194.218.2.0/23 acl proxylan dst 10.253.16.0/27 acl allowed_peer src 10.253.16.1 acl allowed_peer src 10.253.16.2 acl allowed_peer src 10.253.16.3 acl allowed_peer src 10.253.16.4
acl siteallow_url url_regex -i ^.{3,4}://.*\.public\.rupa\.it
acl siteallow_dst dst 194.218.2.160/27
acl siteallow_dst dst 10.253.64.0/24
acl siteallow_dst dst 10.253.16.0/27acl dangurl urlpath_regex -i \.id[aq]\?.{100,} # CodeRED
acl dangurl urlpath_regex -i /readme\.(eml|nws|exe) # NIMDAacl mgmtlan src 10.253.0.0/23 acl FTP proto FTP
acl SITIRUPA dst 194.218.0.0/19 acl SITIRUPA dst 10.0.0.0/8 acl SITIRUPA dst 172.16.0.0/16
acl LLPPProxy src 10.136.1.206 acl LLPPsicoge dst 194.218.14.15
#SNMP ACL acl SNMPallow src 127.0.0.1/32 acl SNMPallow src 10.253.0.0/16 acl snmppublic snmp_community edsaipa
http_access allow allowed_peer
# Only allow cachemgr access from localhost http_access allow manager localhost http_access allow manager mgmtlan http_access deny manager
http_access deny to_localhost http_access deny !Safe_ports http_access deny dangurl
http_access deny Tunnel_method Tunnel_no_src !Tunnel_ports
http_access allow siteallow_url http_access allow siteallow_dst http_access deny locallan
http_access allow LLPPsicoge LLPPProxy http_access deny LLPPsicoge
http_access allow clients
http_access deny all
http_reply_access allow all
icp_access allow allowed_peer icp_access deny all
cache_peer_access 194.218.2.8 allow FTP cache_peer_access 194.218.2.20 allow SITIRUPA cache_peer_access 194.218.2.20 deny all cache_peer_access 10.253.16.1 deny SITIRUPA cache_peer_access 10.253.16.1 allow all cache_peer_access 10.253.16.2 deny SITIRUPA cache_peer_access 10.253.16.2 allow all cache_peer_access 10.253.16.3 deny SITIRUPA cache_peer_access 10.253.16.3 allow all #cache_peer_access 10.253.16.4 deny SITIRUPA #cache_peer_access 10.253.16.4 allow all
always_direct allow proxylan always_direct deny FTP always_direct deny SITIRUPA always_direct deny all
never_direct deny proxylan never_direct allow SITIRUPA
----------------------------------------------------------
Duane Wessels ha scritto:
--
On Fri, 19 Dec 2003, Giulio Cervera wrote:
thank's for your reply:
i'm monitoring median_select_fds
this morning with 150req/sec
select_loops = 280.262863/sec select_fds = 1502.051748/sec average_select_fd_period = 0.000660/fd median_select_fds = 3.984375
thin evening with 40req/sec
select_loops = 383.217992/sec
select_fds = 457.205789/sec
average_select_fd_period = 0.001830/fd
median_select_fds = 0.000000
I assume that you see high 99% usage at 150 req/sec, and "okay" CPU usage at 40 req/sec.
From the above numbers, it looks like the high CPU usage is not due to
some stuck file descriptor.
Was that the entire squid configuration that you sent? Or do you have some
long ACL lists or something that could be causing the high CPU usage?
Duane W.
*Giulio Cervera*
EDS PA SpA Via Atanasio Soldati 80 00155 Roma (Italy) tel: +39 06 22739 270 fax: +39 06 22739 233 e-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]>
