[squid-users] SQUID with cache_peer config + E2guardian - too many connections

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 29 02:50:11 UTC 2020


On 29/07/20 1:07 pm, Contato - KONNTROL wrote:
> Hello Everyone,
> Greetings.
> 
> Background:
> OS - FreeBSD 12.1
> SQUID ver 4.10
> OpenSSL 1.0.2u
> 
> I am trying to use SQUID in front of E2Guardian (content filter) with the
> following configuration at the SQUID side.
> 
> ###
> cache_peer 127.0.0.1 parent 8080 0 login=*:password
> client_persistent_connections on
> always_direct deny all
> never_direct allow all
> ###
> 
> It works fine till the point  SQUID exhausts all E2Guardian threads/workers,
> no matter the amount you set. If 1000, SQUID is opening 1000 connections. If
> 10.000, squid also opens 10.000 connections.
> I tried the directive "client_persistent_connections on and off" with no
> success.
> Even using a single browser for testing purposes, for some reason SQUID
> opens thousands of connections against the E2guardian.
> I did a wireshark capture to "see" what is  happening and it seems like a
> lot of ACK/SYN with no payload.
> 
> Any idea? Maybe I am using a wrong configuration.
> 

You are. BUT, I think you have a forwarding loop happening so the
correct config for limiting connections will not help.

You should be able to test for loops by enabling the Via header. If your
squid.conf contains "via off" remove that line. Assuming e2g is not
removing that header Squid will reject loops with an error message.


Check that the traffic leaving e2g is not going back into Squid. With
the setup described e2g should be connecting directly to
upstream/Internet servers - it should have no settings about Squid
except those for processing the X-Forwarded-For header.

If you are intercepting traffic to deliver it to Squid make sure the
connections leaving e2g are not being caught by those firewall rules.


If you are certain there is no loop the cache_peer max-conn=N is the way
to limit the connections made to a peer. This will only help if the
problem is high traffic flow. It will not help if there is a forwarding
loop happening.


> By the way, I am using SQUID in front of E2Guardian cause I use Kerberos
> authentication (not supported by E2guardian) with FORWARDX option enable.
> 

Sure. You may want to look at the features of e2g you are using and see
whether Squid can do them instead. The idea there being to make deny
decisions early as possible to minimize the total amount of processing
work those transactions consume.
 You may find you can get rid of e2g entirely, which will improve
overall performance and reduce management headaches from layers of proxy.


Cheers
Amos


More information about the squid-users mailing list