[squid-users] squid on openwrt: RAM usage and header forgery
reinerotto
augustus_meyer at gmx.net
Wed Oct 10 07:18:37 UTC 2018
Using squid 4.0.24 on openwrt, I see it grabbing significant amount of
additional RAM after short period of activity, although I tried to downsize
squid as much as possible. Any suggestion for further significant reduction
of mem requirements after startup, or why is there such a growth (> 10MB)
after short period of time ?
Initial mem requirements OK, but then the huge increase in size afterwards
it not appreciated.
(Don't need caching at all. Compiled without IPv6)
First the (anon) squid.conf:
acl localnet src 192.168.182.0/24
acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl safe_ports port 3128
acl connect method connect
http_access deny !safe_ports
http_access deny connect !ssl_ports
acl acl1 url_regex -i .*/string1$
acl acl2 url_regex -i .*/string2$
acl acl3 url_regex -i .*/string3$
external_acl_type check_test ttl=0 cache=0 %SRC /etc/squid/check_test.sh
external_acl_type check_test_2 ttl=30 negative_ttl=3 cache=32 %SRC
/etc/squid/check_test_2.sh
acl check_2 check_test_2
acl check external check_test
http_access deny acl1 check
http_access deny acl2 check
http_access deny acl3 check
http_access allow localnet
http_access allow localhost
http_access deny all
cache deny all
access_log none
cache_log /var/log/squid/cache.log
cache_store_log stdio:/dev/null
logfile_rotate 0
logfile_daemon /dev/null
http_port 3128
http_port 8888 intercept
https_port 4443 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=off dynamic_cert_mem_cache_size=1MB
sslflags=NO_DEFAULT_CA
acl step1 at_step SslBump1
ssl_bump peek step1 all
acl sni_block ssl::server_name .a.com
acl sni_block ssl::server_name .b.com
acl sni_block ssl::server_name .c.com
ssl_bump terminate !check_2 sni_block check
ssl_bump splice all
cache_mem 0 MB
shutdown_lifetime 10 seconds
httpd_suppress_version_string on
dns_v4_first on
forwarded_for delete
via off
reply_header_access Cache deny all
client_idle_pconn_timeout 1 minute
server_idle_pconn_timeout 5 minute
memory_pools off
ipcache_size 128
fqdncache_size 128
reply_header_access Alternate-Protocol deny all
reply_header_access alternate-protocol deny all
reply_header_access alt-svc deny all
pinger_enable off
digest_generation off
netdb_filename none
dns_nameservers 127.0.0.1
reply_body_max_size 4 MB
Now mem requirements for kid-1, shortly after boot:
cat /proc/1447/status
Name: squid
Umask: 0027
State: S (sleeping)
Tgid: 1447
Ngid: 0
Pid: 1447
PPid: 1444
TracerPid: 0
Uid: 0 65534 0 65534
Gid: 65534 65534 65534 65534
FDSize: 32
Groups: 65534
VmPeak: 15836 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmSize: 15836 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 11324 kB
VmRSS: 11324 kB
RssAnon: 4596 kB
RssFile: 6660 kB
RssShmem: 68 kB
VmData: 5708 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmStk: 132 kB
VmExe: 3744 kB
VmLib: 4196 kB
VmPTE: 28 kB
VmPMD: 0 kB
VmSwap: 0 kB
Threads: 1
SigQ: 0/977
SigPnd: 00000000000000000000000000000000
ShdPnd: 00000000000000000000000000000000
SigBlk: 00000000000000000000000000000000
SigIgn: 00000000000000000000000000001004
SigCgt: 0000000000000000000000000203c603
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000000000000400
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs: 0
Speculation_Store_Bypass: unknown
Cpus_allowed: 1
Cpus_allowed_list: 0
voluntary_ctxt_switches: 275
nonvoluntary_ctxt_switches: 100
#1h later, after some usage:
cat /proc/1447/status
Name: squid
Umask: 0027
State: S (sleeping)
Tgid: 1447
Ngid: 0
Pid: 1447
PPid: 1444
TracerPid: 0
Uid: 0 65534 0 65534
Gid: 65534 65534 65534 65534
FDSize: 512
Groups: 65534
VmPeak: 28844 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmSize: 28844 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 23064 kB
VmRSS: 23064 kB
RssAnon: 15856 kB
RssFile: 7140 kB
RssShmem: 68 kB
VmData: 18716 kB <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
VmStk: 132 kB
VmExe: 3744 kB
VmLib: 4196 kB
VmPTE: 40 kB
VmPMD: 0 kB
VmSwap: 0 kB
Threads: 1
SigQ: 0/977
SigPnd: 00000000000000000000000000000000
ShdPnd: 00000000000000000000000000000000
SigBlk: 00000000000000000000000000000000
SigIgn: 00000000000000000000000000001004
SigCgt: 0000000000000000000000000203c603
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000000000000400
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs: 0
Speculation_Store_Bypass: unknown
Cpus_allowed: 1
Cpus_allowed_list: 0
voluntary_ctxt_switches: 16501
nonvoluntary_ctxt_switches: 9636
I get quite a lot of messages in cache.log:
2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object
2018/10/09 12:38:49 kid1| ALE missing URL
2018/10/09 12:38:49 kid1| ALE missing adapted HttpRequest object
2018/10/09 12:40:18 kid1| SECURITY ALERT: Host header forgery detected on
local=212.95.165.32:443 remote=192.168.182.3:51304 FD 36 flags=33 (local IP
does not match any domain IP)
2018/10/09 12:40:18 kid1| SECURITY ALERT: on URL:
b.scorecardresearch.com:443
2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on
local=104.193.83.156:443 remote=192.168.182.3:51400 FD 183 flags=33 (local
IP does not match any domain IP)
2018/10/09 12:40:28 kid1| SECURITY ALERT: on URL:
csm2waycm-atl.netmng.com:443
2018/10/09 12:40:28 kid1| SECURITY ALERT: Host header forgery detected on
local=104.193.83.156:443 remote=192.168.182.3:51402 FD 226 flags=33 (local
IP does not match any domain IP)
My guess is, that the "header forgery" might be caused be inconsistency
between browsers DNS-cache, my clients DNS-cache (Win 7) and the DNS-cache
on the device, running squid. As practically all these "header forgeries"
are for ad-networks, I consider it only an annoyance.Or is it _not_ ?
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list