[squid-users] Squid Proxy timing out 500/503 errors
Yvain PAYEN
yvain.payen at tessi.fr
Fri Mar 8 14:06:00 UTC 2024
Hi Anitha,
Please check with "cat /proc/(pid)/limits" the Max open files limit for your squid process.
You can also use "squidclient mgr:info" to display File descriptor usage by squid.
Regards,
Yvain PAYEN
Tessi France
-----Message d'origine-----
De : squid-users <squid-users-bounces at lists.squid-cache.org> De la part de M, Anitha (CSS)
Envoyé : jeudi 7 mars 2024 18:20
À : Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Cc : Gopalsamy, Seetharam <seetharam.gopalsamy at hpe.com>; Ambikapathy, Baskaran <baskaran.ambikapathy at hpe.com>; TS, Savitha <savitha.ts at hpe.com>
Objet : Re: [squid-users] Squid Proxy timing out 500/503 errors
⚠ FR : Ce message provient de l'extérieur de l'organisation. N'ouvrez pas de liens ou de pièces jointes à moins que vous ne sachiez que le contenu est fiable. ⚠
Hi Team,
Thanks for the quick response.
We have cleaned up the squid configuration file as per the below feedback.
Pls review the below file.
Pls note, even with below changes we still have 503/500 errors when squid is loaded up with 300+ requests. Would really help if any other insights on this issue.
=======================================
# Recommended minimum configuration:
acl localnet src 172.28.1.0/24
acl localnet src 172.28.4.0/24
acl localnet src 172.28.0.0/24
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.28.11.0/24
acl localnet src 172.16.117.0/24
acl localnet src 20.20.30.0/21
acl parent_proxy_exclude dst 20.20.30.0/21 acl servicenet dst 172.28.4.0/24 #acl parent_proxy_exclude_ST0100 dst 20.20.30.222/22 #always_direct allow parent_proxy_exclude_ST0100
always_direct allow parent_proxy_exclude always_direct allow servicenet
acl blocksites url_regex "/etc/squid/blocksites"
http_access deny blocksites
#debug_options ALL,5
acl SSL_ports port 443
acl SSL_ports port 8071
acl SSL_ports port 11052
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 53 # pdns
acl Safe_ports port 5300 # pdns
acl Safe_ports port 123 #NTP
acl Safe_ports port 8071
acl Safe_ports port 11052 # pdns web server
acl Safe_ports port 514 # rsyslog
acl Safe_ports port 8200
acl SSL_ports port 8053
acl Safe_ports port 8053
acl SSL_ports port 3002
acl Safe_ports port 3002
acl SSL_ports port 3006
acl Safe_ports port 3006
acl SSL_ports port 8203
acl Safe_ports port 8203
acl SSL_ports port 8204
acl Safe_ports port 8204
acl SSL_ports port 8099
acl SSL_ports port 8099
acl SSL_ports port 8282
acl Safe_ports port 8282
acl SSL_ports port 8200
acl Safe_ports port 8200
acl CONNECT method CONNECT
tcp_outgoing_address 20.20.30.3
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager
# We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost
# And finally deny all other access to this proxy http_access deny all
cache_peer proxy-in.its.hpecorp.net parent 443 0 no-query default acl parent_proxy src all http_access allow parent_proxy never_direct allow parent_proxy
# Squid normally listens to port 3128
http_port 3128
# Leave coredumps in the first cache dir coredump_dir /var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 172.28.0.121 16.110.135.52
max_filedescriptors 64000
cache_dir ufs /var/cache/squid 8192 16 256 cache_mem 2096 MB cache_swap_high 95 cache_swap_low 90 ftp_passive on maximum_object_size 4096 MB memory_replacement_policy lru minimum_object_size 0 KB
=========================================
Regards,
Anitha.
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Wednesday, March 6, 2024 1:07 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid Proxy timing out 500/503 errors
On 6/03/24 07:23, M, Anitha (CSS) wrote:
> Hi team,
>
> We are using squid service deployed as a KVM VM on SLES 15 Sp5 os image.
>
> We are using squid. Rpm: *squid-5.7-150400.3.20.1.x86_64*
>
> **
>
> We are seeing too many 503 errors with this version of squid.
>
> This is the squid configuration file. Pls review it and let us know if
> issues.
>
It appears that your configuration file consists of at least 2 different configuration files appended to each other.
Please start by running "squid -k parse" and fixing all the warnings it should produce.
> We are performing squid scale testing, where every secs there will be
> 200+requests reaching the squid and squid is spitting out 500/503 errors.
>
FYI: you have restricted Squid to no more than 3200 filedescriptors.
That is rather low. I recommend at least 64K.
> Squid.conf:
>
> gl-pcesreblr-squidproxy03:/var/log/squid # cat /etc/squid/squid.conf #
> Recommended minimum configuration:
> acl localnet src 172.28.1.0/24
> acl localnet src 172.28.4.0/24
> acl localnet src 172.28.0.0/24
> acl localnet src 172.28.0.12/32
> connect_timeout 120 seconds
> connect_retries 10
> #debug_options ALL,5
> #connect_retries_delay 5 seconds
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8 # RFC 1918 local private network
> (LAN)
> acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
> (CGN)
> acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
> plugged) machines
> acl localnet src 172.28.11.0/24
> #acl localnet src 172.16.0.0/12 # RFC 1918 local private network
> (LAN)
> #acl localnet src 192.168.0.0/16 # RFC 1918 local private
> network (LAN)
> #acl localnet src fc00::/7 # RFC 4193 local private network
> range
> #acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl blocksites url_regex "/etc/squid/blocksites"
> http_access deny blocksites
>
> debug_options ALL,7
>
> acl SSL_ports port 443
> acl SSL_ports port 8071
> acl SSL_ports port 11052
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 53 # pdns
> acl Safe_ports port 5300 # pdns
> acl Safe_ports port 123 #NTP
> acl Safe_ports port 8071
> acl Safe_ports port 11052 # pdns web server
> acl Safe_ports port 514 # rsyslog
> acl CONNECT method CONNECT
> acl SSL_ports port 8053
> acl Safe_ports port 8053
> acl SSL_ports port 3002
> acl Safe_ports port 3002
> acl SSL_ports port 3006
> acl Safe_ports port 3006
> acl SSL_ports port 8203
> acl Safe_ports port 8203
> acl SSL_ports port 8204
> acl Safe_ports port 8204
> acl SSL_ports port 8071
> acl Safe_ports port 8071
> acl Safe_ports port 8200
> acl SSL_ports port 8099
> acl Safe_ports port 8099
> tcp_outgoing_address 20.20.30.5
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT
> !SSL_ports
>
> # Only allow cachemgr access from localhost http_access allow
> localhost manager http_access deny manager
>
> # We strongly recommend the following be uncommented to protect
> innocent # web applications running on the proxy server who think the
> only # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #
Please notice what the above line says.
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks # from where browsing should be allowed http_access allow
> localnet http_access allow localhost
>
> # And finally deny all other access to this proxy #http_access deny
> all #http_access allow all
>
> cache_peer proxy-in.its.hpecorp.net parent 443 0 no-query no-delay
> default
... so a server listening for plain-text HTTP on port 443. That is a bit broken. At least consider enabling TLS/SSL on connections to this peer so Squid can send it HTTPS traffic.
> #cache_peer 16.242.46.11 parent 8080 0 no-query default #cache_peer
> 10.132.100.29 parent 3128 0 no-query default
>
> acl parent_proxy src all
> http_access allow parent_proxy
The above two lines are identical to:
http_access allow all
... no http_access lines following this one will ever have any effects.
> never_direct allow parent_proxy
Likewise same as:
never_direct allow all
... however you have always_direct rules later that override this.
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Leave coredumps in the first cache dir coredump_dir /var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> dns_nameservers 172.28.0.121 16.110.135.52
>
> max_filedescriptors 3200
> cache_dir ufs /var/cache/squid 8192 16 256 cache_mem 2096 MB
> cache_swap_high 95 cache_swap_low 90 ftp_passive on
> maximum_object_size 4096 MB memory_replacement_policy lru
> minimum_object_size 0 KB
>
At this point your file just starts repeating rules, with different settings. Some of these replace the above settings, some append to the, and some have no effect due to earlier rules.
> # Recommended minimum configuration:
> acl localnet src 172.28.4.0/24
> acl localnet src 172.28.0.0/24
> acl localnet src 172.28.1.0/24 # OOBM Network outbound access #acl
> HOGAN dst hogan.nimblestorage.com acl localnet src
> 0.0.0.1-0.255.255.255 # RFC 1122 “this” network (LAN) acl blocksites
> url_regex “/etc/squid/blocksites”
> http_access deny blocksites
> acl SSL_ports port 443
> acl SSL_ports port 8071
> acl SSL_ports port 11052
> acl SSL_ports port 8200
> acl SSL_ports port 8282
> acl Safe_ports port 8282
> #acl HOGAN_port port 2222 # hogan.nimblestorage.com:2222 SSH support
> tunnel # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks # from where browsing should be allowed acl localnet src
> 172.16.117.0/24 http_access allow localnet http_access allow localhost
> #http_access allow HOGAN HOGAN_port acl localnet src 20.20.30.0/21 acl
> parent_proxy_exclude dst 20.20.30.0/21 acl parent_proxy_exclude_ST0100
> dst 20.20.30.222/22 always_direct allow parent_proxy_exclude_ST0100
> acl servicenet dst 172.28.4.0/24 always_direct allow
> parent_proxy_exclude always_direct allow servicenet
>
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list