[squid-users] url_rewrite_program and ACLs

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 20 14:51:21 UTC 2017 

On 20/11/17 22:15, Vieri wrote:
> ________________________________
> From: Amos Jeffries <squid3 at treenet.co.nz>
>>
>> I would compare your custom script to the ext_sql_session_acl.pl.in
>> script we bundle with current Squid.
> 
> 
> I've rewritten my perl script, and have been running it for a full week now without any issues. Free RAM drops down to alarming values, but then rises back up again. In any case, "used swap" is always the same. The only thing that keeps be edgy is the fact that the open FDs keep growing (slowly but steadily). After a few days the value is around 6000, but after a week (today) it's:
> 


> Squid Object Cache: Version 3.5.27-20171101-re69e56c
> Build Info:
> Service Name: squid
> Start Time:     Mon, 13 Nov 2017 11:06:36 GMT
> Current Time:   Mon, 20 Nov 2017 08:48:00 GMT

> Average HTTP requests per minute since start:   647.3
...
> File descriptor usage for squid:
> Maximum number of file descriptors:   65536
> Largest file desc currently in use:   12714
> Number of file desc currently in use: 11998

So ~100 RPS, I would expect the open FDs used by ICAP to be around 
299-300. Not the 11K+ you are seeing.

If we assume that each request opens a new connection and they are not 
closed until TCP times out on the socket we do get numbers much more 
like that 11K+ you are seeing.

That implies that ICAP transactions are probably not finishing 
completely. Is the ICAP service finishing the ICAP reply messages 
properly? (eg with a 0-size chunk)

Or maybe the error that led to you deciding to configure 
"icap_service_failure_limit -1" was actually a real problem.


> 
> mgr:filedescriptors shows a great deal of these:
> 
> Remote Address        Description
> --------------------- ------------------------------
> 127.0.0.1:1344        127.0.0.1
> 
> 
> # squidclient mgr:filedescriptors | grep -c "127.0.0.1:1344"
> 11578
> 
> 
> Port 1344 is where the c-icap daemon listens on.
> This is the relevant part in squid.conf:
> 
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
> adaptation_access squidclamav allow all
> icap_service_failure_limit -1
> 
> 
> The number of connections to this port fluctuates over time (it also decreases), but overall it clearly increases day by day.
> I could have an issue with either c-icap itself or one of its modules.
> I'll keep an eye on it.

I think those 11K open FDs is sufficient evidence to say something is 
wrong with the ICAP transactions. If you can get a packet trace of some 
of some ICAP connections it might give better clues to what is happening 
there.

Amos

More information about the squid-users mailing list