[squid-users] squid on openwrt: RAM usage and header forgery

reinerotto augustus_meyer at gmx.net
Wed Oct 10 07:18:37 UTC 2018


Using squid 4.0.24 on openwrt, I see it grabbing significant amount of
additional RAM after short period of activity, although I tried to downsize
squid as much as possible. Any suggestion for further significant reduction
of mem requirements after startup, or why is there such a growth (> 10MB)
after short period of time ?
Initial mem requirements OK, but then the huge increase in size afterwards
it not appreciated.
(Don't need caching at all. Compiled without IPv6)

First the (anon) squid.conf:
acl localnet src 192.168.182.0/24
acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl safe_ports port 3128
acl connect method connect

http_access deny !safe_ports
http_access deny connect !ssl_ports

acl acl1 url_regex -i .*/string1$
acl acl2 url_regex -i .*/string2$
acl acl3 url_regex -i .*/string3$

external_acl_type check_test ttl=0 cache=0 %SRC /etc/squid/check_test.sh
external_acl_type check_test_2 ttl=30 negative_ttl=3 cache=32 %SRC
/etc/squid/check_test_2.sh
acl check_2 check_test_2
acl check  external check_test

http_access deny acl1 check
http_access deny acl2 check
http_access deny acl3 check

http_access allow localnet
http_access allow localhost
http_access deny all

cache deny all
access_log none
cache_log /var/log/squid/cache.log
cache_store_log stdio:/dev/null
logfile_rotate 0
logfile_daemon /dev/null

http_port 3128
http_port 8888 intercept

https_port 4443  intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=off dynamic_cert_mem_cache_size=1MB
sslflags=NO_DEFAULT_CA
acl step1 at_step SslBump1
ssl_bump peek step1 all

acl sni_block ssl::server_name .a.com
acl sni_block ssl::server_name .b.com
acl sni_block ssl::server_name .c.com
ssl_bump terminate !check_2 sni_block check
ssl_bump splice all


cache_mem 0 MB
shutdown_lifetime 10 seconds
httpd_suppress_version_string on
dns_v4_first on
forwarded_for delete
via off
reply_header_access Cache deny all
client_idle_pconn_timeout 1 minute
server_idle_pconn_timeout 5 minute
memory_pools off
ipcache_size 128
fqdncache_size 128
reply_header_access Alternate-Protocol deny all
reply_header_access alternate-protocol deny all
reply_header_access alt-svc deny all
pinger_enable off
digest_generation off
netdb_filename none
dns_nameservers 127.0.0.1
reply_body_max_size 4 MB


Now mem requirements for kid-1, shortly after boot:
cat /proc/1447/status
Name:   squid
Umask:  0027
State:  S (sleeping)
Tgid:   1447
Ngid:   0
Pid:    1447
PPid:   1444
TracerPid:      0
Uid:    0       65534   0       65534
Gid:    65534   65534   65534   65534
FDSize: 32
Groups: 65534
VmPeak:    15836 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmSize:    15836 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     11324 kB
VmRSS:     11324 kB
RssAnon:            4596 kB
RssFile:            6660 kB
RssShmem:             68 kB
VmData:     5708 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmStk:       132 kB
VmExe:      3744 kB
VmLib:      4196 kB
VmPTE:        28 kB
VmPMD:         0 kB
VmSwap:        0 kB
Threads:        1
SigQ:   0/977
SigPnd: 00000000000000000000000000000000
ShdPnd: 00000000000000000000000000000000
SigBlk: 00000000000000000000000000000000
SigIgn: 00000000000000000000000000001004
SigCgt: 0000000000000000000000000203c603
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000000000000400
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Speculation_Store_Bypass:       unknown
Cpus_allowed:   1
Cpus_allowed_list:      0
voluntary_ctxt_switches:        275
nonvoluntary_ctxt_switches:     100

#1h later, after some usage:
 cat /proc/1447/status
Name:   squid
Umask:  0027
State:  S (sleeping)
Tgid:   1447
Ngid:   0
Pid:    1447
PPid:   1444
TracerPid:      0
Uid:    0       65534   0       65534
Gid:    65534   65534   65534   65534
FDSize: 512
Groups: 65534
VmPeak:    28844 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmSize:    28844 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     23064 kB
VmRSS:     23064 kB
RssAnon:           15856 kB
RssFile:            7140 kB
RssShmem:             68 kB
VmData:    18716 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmStk:       132 kB
VmExe:      3744 kB
VmLib:      4196 kB
VmPTE:        40 kB
VmPMD:         0 kB
VmSwap:        0 kB
Threads:        1
SigQ:   0/977
SigPnd: 00000000000000000000000000000000
ShdPnd: 00000000000000000000000000000000
SigBlk: 00000000000000000000000000000000
SigIgn: 00000000000000000000000000001004
SigCgt: 0000000000000000000000000203c603
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000000000000400
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Speculation_Store_Bypass:       unknown
Cpus_allowed:   1
Cpus_allowed_list:      0
voluntary_ctxt_switches:        16501
nonvoluntary_ctxt_switches:     9636

I get quite a lot of messages in cache.log:
2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object
2018/10/09 12:38:49 kid1| ALE missing URL
2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object
2018/10/09 12:40:18 kid1| SECURITY ALERT: Host header forgery detected on
local=212.95.165.32:443 remote=192.168.182.3:51304 FD 36 flags=33 (local IP
does not match any domain IP)
2018/10/09 12:40:18 kid1| SECURITY ALERT: on URL:
b.scorecardresearch.com:443
2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on
local=104.193.83.156:443 remote=192.168.182.3:51400 FD 183 flags=33 (local
IP does not match any domain IP)
2018/10/09 12:40:28 kid1| SECURITY ALERT: on URL:
csm2waycm-atl.netmng.com:443
2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on
local=104.193.83.156:443 remote=192.168.182.3:51402 FD 226 flags=33 (local
IP does not match any domain IP)

My guess is, that the "header forgery" might be caused be inconsistency
between browsers DNS-cache, my clients DNS-cache (Win 7) and the DNS-cache
on the device, running squid. As practically all these "header forgeries"
are for ad-networks, I consider it only an annoyance.Or is it _not_ ?






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list