[squid-users] Documentation for squidclient?
Dijxie
dijxie at gmail.com
Thu May 18 13:51:16 UTC 2017
W dniu 18.05.2017 o 14:48, erdosain9 pisze:
> Hi.
> Where i can find documentation for the opcion on squidclient, many of them
> are self-explanatory but for example this:
>
> [root at squid ~]# squidclient mgr:external_acl
> HTTP/1.1 200 OK
> Server: squid/3.5.20
> Mime-Version: 1.0
> Date: Thu, 18 May 2017 12:40:54 GMT
> Content-Type: text/plain;charset=utf-8
> Expires: Thu, 18 May 2017 12:40:54 GMT
> Last-Modified: Thu, 18 May 2017 12:40:54 GMT
> X-Cache: MISS from squid.xxxxxxx.lan
> X-Cache-Lookup: MISS from squid.xxxxxxx.lan:3128
> Connection: close
>
> External ACL Statistics: i-full
> Cache size: 13
> program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
> number active: 5 of 5 (0 shutting down)
> requests sent: 48
> replies received: 48
> queue length: 0
> avg service time: 11 msec
>
> ID # FD PID # Requests # Replies Flags Time Offset
> Request
> 6 23 2134 48 48 0.011 0 (none)
> 7 25 2135 0 0 0.000 0 (none)
> 8 27 2136 0 0 0.000 0 (none)
> 9 29 2137 0 0 0.000 0 (none)
> 10 31 2138 0 0 0.000 0 (none)
>
> Flags key:
>
> B = BUSY
> W = WRITING
> C = CLOSING
> S = SHUTDOWN PENDING
>
> External ACL Statistics: i-limitado
> Cache size: 29
> program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
> number active: 5 of 5 (0 shutting down)
> requests sent: 110
> replies received: 110
> queue length: 0
> avg service time: 101 msec
>
> ID # FD PID # Requests # Replies Flags Time Offset
> Request
> 11 33 2139 110 110 0.014 0 (none)
> 12 35 2140 0 0 0.000 0 (none)
> 13 37 2141 0 0 0.000 0 (none)
> 14 39 2142 0 0 0.000 0 (none)
> 15 41 2143 0 0 0.000 0 (none)
>
> Flags key:
>
> B = BUSY
> W = WRITING
> C = CLOSING
> S = SHUTDOWN PENDING
>
> External ACL Statistics: i-sinlimite
> Cache size: 51
> program: /usr/lib64/squid/ext_kerberos_ldap_group_acl
> number active: 5 of 5 (0 shutting down)
> requests sent: 195
> replies received: 195
> queue length: 0
> avg service time: -1441 msec
>
> ID # FD PID # Requests # Replies Flags Time Offset
> Request
> 16 43 2144 191 191 0.050 0 (none)
> 17 45 2145 1 1 0.175 0 (none)
> 18 47 2146 1 1 0.185 0 (none)
> 19 49 2147 1 1 0.130 0 (none)
> 20 51 2148 1 1 0.229 0 (none)
>
> Flags key:
>
> B = BUSY
> W = WRITING
> C = CLOSING
> S = SHUTDOWN PENDING
>
> I know that i dont have any user in External ACL Statistics: i-sinlimite...
> then why those statistics (with request and replies and 5 of 5).
>
> Thanks to all
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
As far as I remember, you have some ldap group-based ACLs in your
config. If any user is trying to access site listed in that kind of ACL,
this helper is checking is user is in AD group that allows or disallows
this action.
You may not have any user in i-sinlimite, but you DO HAVE this ACL, so
squid will always check that group and find out that the result is
negative. If you have no users in this group and not going to have in
near future, analyze your ACL logic and remove this rule from
configuration - this will make squid faster for sure.
Your config is:
===begin conf sample===
http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion
http_access allow i-limitado #!dominios_denegados
http_access allow i-full #!dominios_denegados
# And finally deny all other access to this proxy
http_access deny all
===end===
You have no user in this group, yet since it is the first rule, EVERY user has to be checked is he/she ini-sinlimite at xxxxxxx.LAN group. What for, if group is not used? And it is not used in delay_class either.
When squid knows that user is not allowed by i-sinlimite, next rule (sin_autenticacion) is launched, but this is different, list-based ACL, don't now what is on the list - my guess is that's the list of sites that does not require an authentication. If so, it makes no sense - that kind of rule should be above any ACL that requires authentication.
So, most users will access most sites by rule i-limitado, but before, any user has to be checked by i-sinlimite. Makes no sense, really.
Second thing is that most of these ACLs are doing nothing, since your allow everything (!negation is disabled by # sign). Save some RAM consumed by helpers and reorganize your config.
Stats for i-sinlimite look good, although avg service time: -1441 msec is wrong (don't know why). Since that rule affects every user, delay caused by this hepler is added to every user's connection. As long as requests sent = recieved, there is no disaster anyway - users can browse The internet. Once more, remove that ACL and disable hepler.
IMHO you should build a test squid and do some practical learning how things work.
PS. Post your squid.conf every time; I rememer it from different thread, someone else may not.
--
Greets, Dijx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170518/1a6c9084/attachment-0001.html>
More information about the squid-users
mailing list