[GTER] SQUID squid-3.1.0.14 + TPROXY
servidores at futuro.usp.br
servidores at futuro.usp.br
Thu Nov 12 21:16:10 -02 2009
Manda o resultado de:
cat /proc/sys/fs/file-max
No squid.conf:
# coloque por enquanto
SQUID_MAXFD=4096
Depois pare o serviço do squid e inicie-o com a opção "-d 9" manda o
resultado.
E já verifica no log se pararam as msgs.
Abraço!
> Já olhei isto também, como pode ver com qualquer dos usuários mostra esta
> quantidade, que foi a mesmo que coloquei no configure do squid.
>
> id
> uid=13(proxy) gid=13(proxy) groups=13(proxy)
>
> ulimit -H -S -n
> 65535
>
>
> OBS: Não estou usando nenhum patch e não fiz nada de hardening de
> segurança,
> ta o basicao.
>
> 2009/11/12 <servidores at futuro.usp.br>
>
>> Aquele resultado de 65535 foi com o root não?
>>
>> Se sim roda a comando ulimit -n -H postado pelo Bruno com o usuario
>> "proxy" e mostra o resultado ;)
>>
>> Está bem estranho isso, vc utiliza algum patch do tipo grsecurity ou
>> alguma configuração de segurança a + ?
>>
>> > resultado do ps aux
>> >
>> > root 17590 0.0 0.0 34652 1808 ? Ss 16:20 0:00
>> > /usr/local/squid/sbin/squid
>> > proxy 17592 3.0 0.1 73700 18220 ? S 16:20 0:00
>> (squid)
>> > proxy 17593 0.0 0.0 15768 1028 ? S 16:20 0:00
>> (unlinkd)
>> >
>> >
>> > 2009/11/12 MARLON BORBA <MBORBA at trf3.jus.br>
>> >
>> >> hummm.. com que usuário ele deve rodá-lo?
>> >>
>> >> ;-)
>> >>
>> >>
>> >>
>> >> >>>Em 12/11/2009 às 17:13, Bruno Ayub <bruno.ayub at gmail.com> gravou:
>> >>
>> >> > Roda esse comando e retorna o resultado pra gente:
>> >> >
>> >> >
>> >> > ulimit -n -H
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > 2009/11/12 Luzivan <luzivan at gmail.com>
>> >> >
>> >> >> Fiz todos estes ajustes... mas o problema dos FD continua.
>> >> >>
>> >> >> 2009/11/11 <servidores at futuro.usp.br>
>> >> >>
>> >> >> > Veja se ajuda:
>> >> >> > http://wiki.squid-cache.org/Features/Tproxy4
>> >> >> >
>> >> >> > Lembrando que apartir do kernel 2.6.28 à suporte nativo ao
>> TPROXY,
>> >> sem
>> >> >> > precisar de patchs.
>> >> >> >
>> >> >> > E a configuração do Squid torna-se bem simples como pode ser
>> visto
>> >> acima.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > > Meu camarada...
>> >> >> > >
>> >> >> > >
>> >> >> > > Não sei qual seu problema. Os colegas já fizeram as perguntas
>> >> que eu
>> >> >> > > faria.
>> >> >> > >
>> >> >> > > considerações:
>> >> >> > >
>> >> >> > > 1- Tem memória pra caramba no seu servidor. Se o sistema
>> >> operacional
>> >> >> não
>> >> >> > > for
>> >> >> > > 64bits, você vai ter dificuldade para usa-la.
>> >> >> > > 2- Essa apresentação me ajudou (muito) a customizar o squid. (
>> >> >> > >
>> >> >> >
>> >> >>
>> >> >
>> >>
>> >>
>> http://colab.interlegis.gov.br/attachment/wiki/EncontroGitec/squid.pdf?format
>> >>
>> >> > =txt
>> >> >> > > )
>> >> >> > > 3- Uso o Debian v5. Squid 2.7 instalado via apt.
>> >> >> > > 4- Boa sorte!
>> >> >> > >
>> >> >> > >
>> >> >> > > [ ]'s
>> >> >> > >
>> >> >> > >
>> >> >> > > 2009/11/11 davi peres <daviperes at gmail.com>
>> >> >> > >
>> >> >> > >> Sem. Cerca de 60
>> >> >> > >>
>> >> >> > >> Em 11/11/09, Luzivan<luzivan at gmail.com> escreveu:
>> >> >> > >> > Fiz o teste baixando de 12Gb para 1GB até, também fiz um
>> >> teste
>> >> >> > >> alterando
>> >> >> > >> de
>> >> >> > >> > diskd para aufs e ufs, mas nada, sempre o problema do FD
>> >> aparece.
>> >> >> > >> >
>> >> >> > >> > Perguntas (Davi)
>> >> >> > >> > 1) O seu squid também trabalha com o tproxy ?
>> >> >> > >> >
>> >> >> > >> > 2) Quantas conexoes simultâneas seu proxy trabalha ?
>> >> >> > >> >
>> >> >> > >> >
>> >> >> > >> > 2009/11/11 davi peres <daviperes at gmail.com>
>> >> >> > >> >
>> >> >> > >> >> maximum_object_size 512 MB
>> >> >> > >> >> minimum_object_size 0 KB
>> >> >> > >> >> ipcache_size 1024
>> >> >> > >> >> ipcache_low 90
>> >> >> > >> >> ipcache_high 95
>> >> >> > >> >> fqdncache_size 1024
>> >> >> > >> >> cache_mem 512 MB
>> >> >> > >> >> cache_dir ufs /servidores/squid/var/cache 512 20 256
>> >> >> > >> >>
>> >> >> > >> >> o meu ta assim. tem 4gb de mem. so por via de duvidas
>> tente
>> >> abaixar
>> >> >> > >> >> aqueles
>> >> >> > >> >> 12gb por que se nao me engano esta memoria eh
>> multiplicada.
>> >> >> > >> >>
>> >> >> > >> >>
>> >> >> > >> >> 2009/11/10 Luzivan <luzivan at gmail.com>
>> >> >> > >> >>
>> >> >> > >> >> > ######### SQUID CONF ###########
>> >> >> > >> >> >
>> >> >> > >> >> > http_port 3129 tproxy
>> >> >> > >> >> > httpd_suppress_version_string on
>> >> >> > >> >> > max_open_disk_fds 0
>> >> >> > >> >> > error_directory
>> /usr/local/squid/share/errors/Portuguese/
>> >> >> > >> >> > visible_hostname tempestade
>> >> >> > >> >> > cache_effective_user proxy
>> >> >> > >> >> > cache_effective_group proxy
>> >> >> > >> >> > debug_options ALL,1
>> >> >> > >> >> > logfile_rotate 7
>> >> >> > >> >> > client_db off
>> >> >> > >> >> > icp_port 0
>> >> >> > >> >> > ipcache_size 1024
>> >> >> > >> >> > cache_mem 12 GB
>> >> >> > >> >> > cache_swap_low 90
>> >> >> > >> >> > cache_swap_high 95
>> >> >> > >> >> > maximum_object_size 5 MB
>> >> >> > >> >> > maximum_object_size_in_memory 1 MB
>> >> >> > >> >> > minimum_object_size 0 KB
>> >> >> > >> >> > cache_dir diskd /cache/spool/squid3 1300000 16 256 Q1=64
>> >> Q2=72
>> >> >> > >> >> >
>> >> >> > >> >> > cache_dir diskd /cache/spool/squid3 1300000 16 256 Q1=64
>> >> Q2=72
>> >> >> > >> >> >
>> >> >> > >> >> > coredump_dir /cache/spool/squid3
>> >> >> > >> >> > cache_log /cache/log/squid3/cache.log
>> >> >> > >> >> > cache_store_log /cache/log/squid3/store.log
>> >> >> > >> >> > access_log /cache/log/squid3/access.log squid
>> >> >> > >> >> >
>> >> >> > >> >> > acl manager proto cache_object
>> >> >> > >> >> > acl localhost src 127.0.0.1/32
>> >> >> > >> >> > acl to_localhost dst 127.0.0.0/8
>> >> >> > >> >> >
>> >> >> > >> >> > cache_replacement_policy heap LFUDA
>> >> >> > >> >> > half_closed_clients off
>> >> >> > >> >> >
>> >> >> > >> >> > uri_whitespace encode
>> >> >> > >> >> > strip_query_terms on
>> >> >> > >> >> > ie_refresh on
>> >> >> > >> >> >
>> >> >> > >> >> > acl SSL_ports port 443
>> >> >> > >> >> > acl Safe_ports port 80 # http
>> >> >> > >> >> > acl Safe_ports port 21 # ftp
>> >> >> > >> >> > acl Safe_ports port 443 # https
>> >> >> > >> >> > acl Safe_ports port 70 # gopher
>> >> >> > >> >> > acl Safe_ports port 210 # wais
>> >> >> > >> >> > acl Safe_ports port 1025-65535 # unregistered ports
>> >> >> > >> >> > acl Safe_ports port 280 # http-mgmt
>> >> >> > >> >> > acl Safe_ports port 488 # gss-http
>> >> >> > >> >> > acl Safe_ports port 591 # filemaker
>> >> >> > >> >> > acl Safe_ports port 777 # multiling http
>> >> >> > >> >> > acl CONNECT method CONNECT
>> >> >> > >> >> >
>> >> >> > >> >> > http_access allow localhost
>> >> >> > >> >> > http_access allow all
>> >> >> > >> >> >
>> >> >> > >> >> > ########## FIM SQUID CONF #############
>> >> >> > >> >> >
>> >> >> > >> >> > 1) Estou compilando para usar com o TPROXY, poder usar
>> >> diskd ou
>> >> >> > >> aufs
>> >> >> > >> >> >
>> >> >> > >> >> > 2) Distro Debian 5.0 R3 com Kernal 2.6.30.4
>> >> >> > >> >> >
>> >> >> > >> >> >
>> >> >> > >> >> > 2009/11/10 Fabio Donizete Mantesso Machado <
>> >> >> > >> fabiomantesso at superig.com.br
>> >> >> > >> >> >
>> >> >> > >> >> >
>> >> >> > >> >> > > posta o seu squid.conf ai!
>> >> >> > >> >> > > qual distro voce usa? qual a necessidade de compilar o
>> >> mesmo?
>> >> >> > >> >> > >
>> >> >> > >> >> > > 2009/11/10 Luzivan <luzivan at gmail.com>
>> >> >> > >> >> > >
>> >> >> > >> >> > > > As config de memória estão assim:
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > ipcache_size 1024
>> >> >> > >> >> > > > cache_mem 12 GB
>> >> >> > >> >> > > > cache_swap_low 90
>> >> >> > >> >> > > > cache_swap_high 95
>> >> >> > >> >> > > > maximum_object_size 5 MB
>> >> >> > >> >> > > > maximum_object_size_in_memory 1 MB
>> >> >> > >> >> > > > minimum_object_size 0 KB
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > cache_dir diskd /cache/spool/squid3 1300000 16 256
>> >> Q1=64
>> >> >> Q2=72
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > OBS: Este servidor tem 16GB de memória
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > 2009/11/9 davi peres <daviperes at gmail.com>
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > > Ainda acho melhor você consultar sua configuração
>> >> de
>> >> >> memória
>> >> >> > >> >> > > > >
>> >> >> > >> >> > > > > Em 09/11/09, Luzivan<luzivan at gmail.com> escreveu:
>> >> >> > >> >> > > > > > para o squid reconhercer tive que alterar no
>> >> >> > >> >> > > /etc/security/limits.conf
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > * - nofile 65535
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > agora quando consulto das duas formas mostra a
>> >> quantidade
>> >> >> > >> do
>> >> >> > >> >> > > > limits.conf
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > squidclient -p 3129 mgr:info | grep descriptors
>> >> >> > >> >> > > > > > Maximum number of file descriptors: 65536
>> >> >> > >> >> > > > > > Available number of file descriptors: 65526
>> >> >> > >> >> > > > > > Reserved number of file descriptors: 100
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > cat /cache/log/squid3/cache.log | grep
>> >> descriptors
>> >> >> > >> >> > > > > > 2009/11/09 15:41:15| With 65536 file descriptors
>> >> >> available
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > *mais tarde vou colocar em operação e ver o qua
>> >> acontece.
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > 2009/11/8 Bruno L F Cabral
>> >> <bruno at openline.com.br>
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > >> >> Veja como está no SO.
>> >> >> > >> >> > > > > >> > ulimit -a proxy
>> >> >> > >> >> > > > > >> > open files (-n) 8192
>> >> >> > >> >> > > > > >> ------------------------------------------
>> >> >> > >> >> > > > > >>
>> >> >> > >> >> > > > > >> Tente aumentar antes de iniciar o squid e veja
>> se
>> >> ajuda.
>> >> >> > >> >> > > > > >>
>> >> >> > >> >> > > > > >> !3runo Cabral
>> >> >> > >> >> > > > > >> --
>> >> >> > >> >> > > > > >> gter list
>> >> >> > https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >> > > > > >>
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > > > --
>> >> >> > >> >> > > > > > [Luzivan ;]
>> >> >> > >> >> > > > > > "O caminho do sucesso está sempre em construção"
>> >> >> > >> >> > > > > > --
>> >> >> > >> >> > > > > > gter list
>> >> >> https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >> > > > > >
>> >> >> > >> >> > > > >
>> >> >> > >> >> > > > > --
>> >> >> > >> >> > > > > Enviado do meu celular
>> >> >> > >> >> > > > > --
>> >> >> > >> >> > > > > gter list
>> >> https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >> > > > >
>> >> >> > >> >> > > >
>> >> >> > >> >> > > >
>> >> >> > >> >> > > >
>> >> >> > >> >> > > > --
>> >> >> > >> >> > > > [Luzivan ;]
>> >> >> > >> >> > > > "O caminho do sucesso está sempre em construção"
>> >> >> > >> >> > > > --
>> >> >> > >> >> > > > gter list
>> >> https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >> > > >
>> >> >> > >> >> > > --
>> >> >> > >> >> > > gter list
>> >> https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >> > >
>> >> >> > >> >> >
>> >> >> > >> >> >
>> >> >> > >> >> >
>> >> >> > >> >> > --
>> >> >> > >> >> > [Luzivan ;]
>> >> >> > >> >> > "O caminho do sucesso está sempre em construção"
>> >> >> > >> >> > --
>> >> >> > >> >> > gter list
>> https://eng.registro.br/mailman/listinfo/gter
>> >>
>> >> >> > >> >> >
>> >> >> > >> >> --
>> >> >> > >> >> gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >>
>> >> >> > >> >
>> >> >> > >> >
>> >> >> > >> >
>> >> >> > >> > --
>> >> >> > >> > [Luzivan ;]
>> >> >> > >> > "O caminho do sucesso está sempre em construção"
>> >> >> > >> > --
>> >> >> > >> > gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >> >
>> >> >> > >>
>> >> >> > >> --
>> >> >> > >> Enviado do meu celular
>> >> >> > >> --
>> >> >> > >> gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >>
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >> >> > > --
>> >> >> > > Bruno Ayub.
>> >> >> > > --
>> >> >> > > gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >> > >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> [Luzivan ;]
>> >> >> "O caminho do sucesso está sempre em construção"
>> >> >> --
>> >> >> gter list https://eng.registro.br/mailman/listinfo/gter
>> >> >>
>> >> >
>> >>
>> >> --
>> >>
>> >> Abraços,
>> >>
>> >> Marlon Borba, CISSP, APC DataCenter Associate
>> >> Técnico Judiciário · Segurança da Informação
>> >> IPv6 Evangelist · Moreq-Jus Evangelist
>> >> Comissão Local de Resposta a Incidentes - CLRI
>> >> TRF 3 Região
>> >> (11) 3012-1581
>> >> --
>> >> Follow me on Twitter!
>> >> twitter.com/mborba
>> >> --
>> >>
>> >> --
>> >> gter list https://eng.registro.br/mailman/listinfo/gter
>> >>
>> >
>> >
>> >
>> > --
>> > [Luzivan ;]
>> > "O caminho do sucesso está sempre em construção"
>> > --
>> > gter list https://eng.registro.br/mailman/listinfo/gter
>> >
>>
>>
>> --
>> gter list https://eng.registro.br/mailman/listinfo/gter
>>
>
>
>
> --
> [Luzivan ;]
> "O caminho do sucesso está sempre em construção"
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
More information about the gter
mailing list