<div dir="ltr"><div><div>Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode.<br></div>With basic config in squid.conf, but squid is run out of my server's memory.<br></div>Here is my configure option :<br><br>'--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-gnuregex' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-http-violations' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install' '--enable-ltdl-convenience' '--enable-x-accelerator-vary' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--disable-translation' '--disable-ipv6' '--disable-ident-lookups' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24' '--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536' '--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'<br>--------------------------------------<br><br clear="all"><div><div><div>And i apply this patch before compile for disabling host forgery checks :<br><br>+diff -ur squid-3.5.20-orig/src/client_side_request.cc squid-3.5.20/src/client_side_request.cc<br>+--- squid-3.5.20-orig/src/client_side_request.cc 2016-07-01 13:37:50.000000000 +0200<br>++++ squid-3.5.20/src/client_side_request.cc 2017-03-10 16:48:08.920084072 +0100<br>+@@ -530,6 +530,10 @@<br>+ }<br>+ debugs(85, 3, HERE << "validate IP " << clientConn->local << " non-match from Host: IP " << ia->in_addrs[i]);<br>+ }<br>++ // disable fogery check. See <a href="https://code.nethesis.it/Nethesis/dev/issues/5088">https://code.nethesis.it/Nethesis/dev/issues/5088</a><br>++ http->request->flags.hostVerified = true;<br>++ http->doCallouts();<br>++ return;<br>+ }<br>+ debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");<br>+ hostHeaderVerifyFailed("local IP", "any domain IP");<br></div><div><br></div><div>And here is my squid.conf ( i don't post my http_access for clearly view :()<br><br>###############################################################################<br># Squid normally listens to port 3128<br>###############################################################################<br><br>https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn<br>http_port 3129 tproxy<br>http_port 3128<br><br>###############################################################################<br># squid ssl_bump option<br>###############################################################################<br>acl step1 at_step SslBump1<br>acl block ssl::server_name "/etc/squid/block_domain.txt"<br>ssl_bump peek step1<br>ssl_bump terminate block<br>ssl_bump splice all<br>sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression<br>sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL<br>sslproxy_cert_error deny all<br>sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem<br><br>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB<br>sslcrtd_children 8 startup=1 idle=1<br><br>###############################################################################<br>## LOGFILE OPTIONS<br>###############################################################################<br><br>mime_table /etc/squid/mime.conf<br>pid_filename /var/run/squid.pid<br><br>include /etc/squid/logging.conf<br>###############################################################################<br>## OPTIONS FOR TROUBLESHOOTING<br>###############################################################################<br><br>coredump_dir /var/spool/squid<br>debug_options ALL,1<br>cache_effective_user squid<br>cache_effective_group squid<br>###############################################################################<br>## PERSISTENT CONNECTION HANDLING<br>###############################################################################<br> <br>detect_broken_pconn off<br>client_persistent_connections off<br>server_persistent_connections on<br><br>###############################################################################<br>## ERROR PAGE OPTIONS<br>###############################################################################<br>error_directory /usr/share/squid/errors/en<br>error_log_languages off<br><br>###############################################################################<br>## DNS OPTIONS<br>###############################################################################<br>check_hostnames off<br>hosts_file /etc/hosts<br>connect_retries 2<br>ipcache_low 90<br>ipcache_size 5024 # Maximum number of DNS IP cache entries.<br>fqdncache_size 3024 # Maximum number of FQDN cache entries.<br>pipeline_prefetch 100<br><br>###############################################################################<br>## MISCELLANEOUS<br>###############################################################################<br><br>max_filedescriptors 65536<br><br>------------------------------------------------------------------------<br></div><div><br></div><div>The problem is my squid spent alot of memory. I have about 200 user, and my server is 4gb dram with 8gb swap dram but not enough !<br> total used free shared buffers cached<br>Mem: 3.8G 3.4G 503M 736K 181M 1.7G<br>-/+ buffers/cache: 1.5G 2.4G<br>Swap: 8.1G 9.3M 8.1G<br><br></div><div>There is any issue with my squid ?? How can i fix it ?<br><br></div><div>I have attach files for detail (squid.conf and squid-3.5.20-ssl-forgery.patch)<br><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div>Thanks & Best Regards,<br>--------------<br></div>Đỗ Hoàng Minh Hưng<br></div>Gmail : <a href="mailto:hoangminhung@gmail.com" target="_blank">hoangminhung@gmail.com</a><br></div>SĐT : 01234454115<br></div></div></div></div>
</div></div></div></div>