Bug#664051: squid3: Frequent DOS due to extreme memory consuption of Squid3

Thu, 15 Mar 2012 02:33:29 -0700 

Package: squid3
Version: 3.1.6-1.2+squeeze2
Severity: important


Our proxy serves some 300+ users. Recently we moved to Debian Squeeze with 
Squid 3, however are not satisfied with the performance at all: sometimes Squid 
3 process consumes over 5GB memory itself, so that with other services 
(Dansguardian, ClamAV), even 6GB of RAM is not enought and the machine starts 
swapping heavily (even over 2GB) and web pages stop being served (DOS). This 
happens few times per week. Usually the Squid 3 process is well over 3GB in 
size! Before, we used a Debian Lenny with Squid (2.x) and there has never been 
problem like this, despite machine having only 4GB of RAM. Now it seems that at 
least 8GB would be necessarry, however this is unacceptable and we consider 
switching back to Squid 2.x instead.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=sk_SK.UTF-8, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages squid3 depends on:
ii  adduser            3.112+nmu2            add and remove users and groups
ii  libc6              2.11.3-2              Embedded GNU C Library: Shared lib
ii  libcap2            1:2.19-3              support for getting/setting POSIX.
ii  libcomerr2         1.41.12-4stable1      common error description library
ii  libdb4.8           4.8.30-2              Berkeley v4.8 Database Libraries [
ii  libexpat1          2.0.1-7               XML parsing C library - runtime li
ii  libgcc1            1:4.4.5-8             GCC support library
ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze5  MIT Kerberos runtime libraries - k
ii  libk5crypto3       1.8.3+dfsg-4squeeze5  MIT Kerberos runtime libraries - C
ii  libkrb5-3          1.8.3+dfsg-4squeeze5  MIT Kerberos runtime libraries
ii  libldap-2.4-2      2.4.23-7.2            OpenLDAP libraries
ii  libltdl7           2.2.6b-2              A system independent dlopen wrappe
ii  libpam0g           1.1.1-6.1+squeeze1    Pluggable Authentication Modules l
ii  libsasl2-2         2.1.23.dfsg1-7        Cyrus SASL - authentication abstra
ii  libstdc++6         4.4.5-8               The GNU Standard C++ Library v3
ii  libxml2            2.7.8.dfsg-2+squeeze3 GNOME XML library
ii  logrotate          3.7.8-6               Log rotation utility
ii  lsb-base           3.2-23.2squeeze1      Linux Standard Base 3.2 init scrip
ii  netbase            4.45                  Basic TCP/IP networking system
ii  squid3-common      3.1.6-1.2+squeeze2    A full featured Web Proxy cache (H

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf                    <none>     (no description available)
pn  smbclient                     <none>     (no description available)
pn  squid-cgi                     <none>     (no description available)
pn  squidclient                   <none>     (no description available)

-- Configuration Files:
/etc/logrotate.d/squid3 changed:
/var/log/squid/*.log {
        daily
        compress
        delaycompress
        rotate 7
        missingok
        nocreate
        sharedscripts
        postrotate
                test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate
        endscript
}

/etc/squid3/squid.conf changed:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 195.80.161.10/32 10.6.0.4/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all
http_access allow localnet
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny all
http_port 127.0.0.1:8080
http_port 10.6.0.4:8080
hierarchy_stoplist cgi-bin ?
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid 40000 16 256
maximum_object_size 740 MB
access_log /var/log/squid/access.log squid
log_mime_hdrs on
cache_log /var/log/squid/cache.log
coredump_dir /var/spool/squid3
ftp_list_width 48
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
quick_abort_max -1 KB
quick_abort_pct 90
store_avg_object_size 64 KB
request_header_access From deny all
request_header_access Referer deny all
request_header_access Server deny all
cache_effective_group proxy
httpd_suppress_version_string on
delay_pools 5
err_html_text <a href="mailto:ad...@banskabystrica.sk> E-mail administratora 
</a>
dns_timeout 1 minutes
memory_pools off
memory_pools_limit 24 MB
forwarded_for truncate
acl work_time time M-F 7:00-17:00
acl weekend_time time A-S
acl fast_files url_regex -i .deb .nup .htm .html
acl slow_files url_regex -i .ftp .mp3 .zip .mov .mpeg .rar .avi .raw .wav .rm 
.qt .ram .iso .mpg .mpe .asf .ogg .wmv .wma .flv
acl documents url_regex -i .txt .pdf .doc .dot .xls .xlt .pps .ppt .rtf .sxw 
.stw .sxc .stc .sxi .sti .odt .ott .ods .ots .odp .otp .odg .otg  .js .jsp 
.jspx .css .png .gif
acl fast_domains_a dstdomain .banskabystrica.sk .slovenska.sk .virtualne.sk 
.katasterportal.sk .microsoft.com .windowsupdate.com fpdownload.macromedia.com 
.debian.org
acl fast_domains_b dstdomain eb.dexia.sk .corageo.sk .banskabystrica.eu 
mozilla2.mirrors.tds.net ftp-mozilla.netscape.com sunsite.rediris.es 
mozilla.isc.org ftp.linux.cz
acl fast_domains_c dstdomain .dashofer.sk download.opensuse.org .novell.com 
.mediacapitol.com .gisplan.sk .hp.com
acl fast_servers dst 195.28.70.134
acl slow_domains1 dstdomain .rapidshare.com .czshare.com .uloz.to .vimeo.com 
.megauploads.com .zenoswarbirdvideos.com .helldata.com .patricksaviation.com
delay_class 1 2
delay_parameters 1 1700000/2000000 1250000/1500000
delay_access 1 allow fast_files
delay_access 1 allow fast_domains_a
delay_access 1 allow fast_domains_b
delay_access 1 allow fast_servers
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 250000/500000 100000/250000
delay_access 2 allow slow_files
delay_access 2 allow slow_domains1
delay_access 2 deny all
delay_class 3 2
delay_parameters 3 -1/-1 -1/-1
delay_access 3 allow weekend_time
delay_access 3 deny all
delay_class 4 2
delay_parameters 4 500000/830000 200000/500000
delay_access 4 allow work_time
delay_access 4 allow localhost
delay_access 4 allow fast_files
delay_access 4 allow documents
delay_access 4 deny all
delay_class 5 2
delay_parameters 5 833000/833000 500000/500000
delay_access 5 allow !work_time
delay_access 5 deny all


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to