[squid-users] 100% cpu after about an hour

[Michael Gibson]

Hello,

Having about 100% CPU usage after about an hour running. We operate Squid v
3.5 on multiple nodes. We range from 10 users, up through 200 on various
nodes. We recently updated from 3.3 to 3.5 and I've been unable to contain
the core usage of Squid. I attempted to get multiple Squid workers resulted
in both cores getting pegged on our small servers.

Dual core Intel(R) Celeron(R) M processor         1.50GHz
4GB RAM

Here's the config we're currently running:

# Managed by Chef
# Changes will be overwritten

# Crazy debug
#debug_options ALL,0 11,5 20,5 17,5 23,5 26,5 28,5 44,5 55,5 61,5 78,5 83,5

# Debug ACL issues
#debug_options ALL,1 28,4

# Debug ACL issues full access
#debug_options ALL,1 28,2 28,9

# Setup our local networks ACLs
acl VPN_Net src 10.1.2.0/24
acl No_Auth_Net src 10.10.1.0/24
acl Android_Server src 10.10.1.1/32

acl SSL_ports port 443
acl Safe_ports port 80    # http
acl Safe_ports port 443   # https
acl CONNECT method CONNECT

# Custom acl for Telmate-controlled sites
acl telmate_domains dstdomain .telmate.com .telmate.cc
request_header_add ****************************
request_header_add **********************

#
# Content filtering
#
icap_enable on

# unlimited icap failure
icap_service_failure_limit -1
icap_retry allow all
icap_send_client_ip on
icap_retry_limit -1

icap_service service_req reqmod_precache bypass=0 icap://
127.0.0.1:1344/request
adaptation_access service_req allow VPN_Net !CONNECT

icap_service service_resp respmod_precache bypass=0 icap://
127.0.0.1:1344/response
adaptation_access service_resp allow VPN_Net

# Only allow cachemgr access from Android Server
http_access allow Android_Server manager
http_access deny manager

# Deny requests to ports we don't allow
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# URL Filtering

# acl No_Auth_Whitelist dstdomain "/etc/squid3/approved-sites.squid"
acl No_Auth_Whitelist dstdomain "/etc/squid3/no-auth-approved-sites.squid"

# dedicated, no exception URL blacklist managed by chef only
acl blacklist-urls url_regex "/etc/squid3/blacklist-urls.squid"
http_access deny blacklist-urls

# Allow localhost access in case of misconfigured application
http_access allow localhost

# Allow No_Auth_Net access to only the No auth whitelist
http_access allow No_Auth_Whitelist No_Auth_Net

# CONNECT method requests only have an IP address, allow all SSL CONNECT
handshakes
http_access allow No_Auth_Net CONNECT

# Allow VPN_Net to anything as ICAP will be consulted for approval
http_access allow VPN_Net

# Default catch all to deny access not specifically granted
http_access deny all


# Squid proxy interception config
http_port 10.10.1.1:3128
http_port 10.10.1.1:3126 intercept
https_port 10.10.1.1:3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/telmate-gk-CA.pem

# Proxy public hiding, don't tell site we are using a proxy
via off
forwarded_for off

# ssl-bump goodies
always_direct allow all
ssl_bump server-first all

# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Prepare ssl_db: Done in Chef
# /usr/lib/squid3/ssl_crtd3 -c -s /var/spool/squid3/ssl_db -M 4MB
# chown -R proxy:proxy /var/spool/squid3/ssl_db
sslcrtd_program /usr/lib/squid3/ssl_crtd3 -s /var/spool/squid3/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

# Shutdown Squid after 2 seconds to flush current connections, default is 10
shutdown_lifetime 2 seconds

# Leave coredumps in the cache dir
coredump_dir /var/spool/squid3

# Object size and lifetime settings
cache_mem 256 MB
maximum_object_size 1024 MB
range_offset_limit 200 MB
quick_abort_min -1
read_ahead_gap 50 MB

# cache the health_check to give poor snap a break :(
refresh_pattern ^https://*************/health_check 10 80% 30
override-expire override-lastmod ignore-reload ignore-no-store
ignore-must-revalidate ignore-private ignore-auth store-stale

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|
swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$ 260000 90% 260009 override-expire
refresh_pattern -i zip$ 432000 100% 864000 override-expire
refresh_pattern .   0 20% 4320

# Logging
# Following logformat WITH request headers, VERY chatty, debug only
# logformat squid %tl %5trms %>a %Ss/%03>Hs %<st %rm %>ru %mt %>ha
logformat squid-full %tl %5trms %>a %Ss/%03>Hs %<st %rm %>ru %mt
logformat squid %tl %5trms %>a %Ss/%03>Hs %<st %rm %ru %mt
# Log query params for telmate traffic only
access_log daemon:/var/log/squid3/telmate.log squid-full telmate_domains
access_log daemon:/var/log/squid3/access.log squid

# Cache_dir must be after maximum_object_size
cache_dir rock /var/spool/squid3 51200

-- 
*Michael Gibson*
*Linux Systems Administrator*
655 Montgomery Street, 18th Floor
San Francisco, CA 94111
Email gibson at telmate.com
Office (415) 300-4015 www.Telmate.com <http://www.telmate.com/> |
www.GettingOut.com <http://www.gettingout.com/> | GettingOut Facebook
<https://www.facebook.com/pages/Gettingout/494201843984720>

[image: Telmate] <http://www.telmate.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161201/29fa1b8d/attachment-0001.html>