thank's again, and sorry for double post ( i have reach max size, just
removed all comments from squid.conf from previous mail )
We have some ACL,
our network is
2 proxy for FTP (with antivirus)
2 proxy for local LAN ( we have many remote site and just this 2 machine
have access to their firewall )
and this 4 proxy with squid, only for internet (there is no other
product running on it)
this is the full acl, i have also attached the full config
----------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Tunnel_ports port 443-499
acl Tunnel_no_src src 10.253.0.0/16
acl Tunnel_method method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http 2
acl Safe_ports port 21 # ftp
acl Safe_ports port 443-499 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl clients src 10.0.0.0/8
acl clients src 172.16.0.0/12
acl clients src 192.168.0.0/16
acl clients src 194.218.0.0/19
acl locallan dst 10.253.0.0/16
acl locallan dst 194.218.2.0/23
acl proxylan dst 10.253.16.0/27
acl allowed_peer src 10.253.16.1
acl allowed_peer src 10.253.16.2
acl allowed_peer src 10.253.16.3
acl allowed_peer src 10.253.16.4
acl siteallow_url url_regex -i ^.{3,4}://.*\.public\.rupa\.it
acl siteallow_dst dst 194.218.2.160/27
acl siteallow_dst dst 10.253.64.0/24
acl siteallow_dst dst 10.253.16.0/27
acl dangurl urlpath_regex -i \.id[aq]\?.{100,} # CodeRED
acl dangurl urlpath_regex -i /readme\.(eml|nws|exe) # NIMDA
acl mgmtlan src 10.253.0.0/23
acl FTP proto FTP
acl SITIRUPA dst 194.218.0.0/19
acl SITIRUPA dst 10.0.0.0/8
acl SITIRUPA dst 172.16.0.0/16
acl LLPPProxy src 10.136.1.206
acl LLPPsicoge dst 194.218.14.15
#SNMP ACL
acl SNMPallow src 127.0.0.1/32
acl SNMPallow src 10.253.0.0/16
acl snmppublic snmp_community edsaipa
http_access allow allowed_peer
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager mgmtlan
http_access deny manager
http_access deny to_localhost
http_access deny !Safe_ports
http_access deny dangurl
http_access deny Tunnel_method Tunnel_no_src !Tunnel_ports
http_access allow siteallow_url
http_access allow siteallow_dst
http_access deny locallan
http_access allow LLPPsicoge LLPPProxy
http_access deny LLPPsicoge
http_access allow clients
http_access deny all
http_reply_access allow all
icp_access allow allowed_peer
icp_access deny all
cache_peer_access 194.218.2.8 allow FTP
cache_peer_access 194.218.2.20 allow SITIRUPA
cache_peer_access 194.218.2.20 deny all
cache_peer_access 10.253.16.1 deny SITIRUPA
cache_peer_access 10.253.16.1 allow all
cache_peer_access 10.253.16.2 deny SITIRUPA
cache_peer_access 10.253.16.2 allow all
cache_peer_access 10.253.16.3 deny SITIRUPA
cache_peer_access 10.253.16.3 allow all
#cache_peer_access 10.253.16.4 deny SITIRUPA
#cache_peer_access 10.253.16.4 allow all
always_direct allow proxylan
always_direct deny FTP
always_direct deny SITIRUPA
always_direct deny all
never_direct deny proxylan
never_direct allow SITIRUPA
----------------------------------------------------------
Duane Wessels ha scritto:
>
> On Fri, 19 Dec 2003, Giulio Cervera wrote:
>
>
>
>> thank's for your reply:
>>
>> i'm monitoring median_select_fds
>>
>> this morning with 150req/sec
>>
>> select_loops = 280.262863/sec
>> select_fds = 1502.051748/sec
>> average_select_fd_period = 0.000660/fd
>> median_select_fds = 3.984375
>>
>> thin evening with 40req/sec
>>
>> select_loops = 383.217992/sec
>> select_fds = 457.205789/sec
>> average_select_fd_period = 0.001830/fd
>> median_select_fds = 0.000000
>>
>
>
> I assume that you see high 99% usage at 150 req/sec, and
> "okay" CPU usage at 40 req/sec.
>
>> From the above numbers, it looks like the high CPU usage is not due to
>
> some stuck file descriptor.
>
> Was that the entire squid configuration that you sent? Or do you have
> some
> long ACL lists or something that could be causing the high CPU usage?
>
> Duane W.
>
>
>
-- *Giulio Cervera* EDS PA SpA Via Atanasio Soldati 80 00155 Roma (Italy) tel: +39 06 22739 270 fax: +39 06 22739 233 e-mail: giulio.cervera@edspa.it <mailto:giulio.cervera@edspa.it> <mailto:giulio.cervera@edspa.it>Received on Wed Jan 07 2004 - 02:29:27 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:04 MST