pomaly squid

Zdravim panove, jak jsem hledal, tak jsem hledal, ale nikde nemuzu najit pomoc, s mim problemem. Provozuji na serveru Red Hat Enterprise Linux Server release 5.2 squid ( squid-2.6.STABLE6-5.el5_1.3.x86_64 )jako proxy server, pro cca. 600 uzivatelu. V posledni dobe, jsem ale zacal pozorovat, ze squid vytezuje procesor na temer 99%, a zaroven pomoci testu na adsl.cz nebo dsl.cz je rychlost me linky nekde na urovni 128kbit ( pomale nacitani stranek, nenacteni stranek, sekani inet radia...) po restaru sluzby /etc/init.d/squid restart, je CPU vytizene squidem nekde na 80% a odezva od uvedenych serveru je nekde okolo 80Mbit... napada nekoho kde bych mnel hledat problem? dekuji za jakoukoliv pomoc

/etc/squid/squid.conf

http_port 8080
icp_port 0
cache_store_log none

httpd_accel_no_pmtu_disc on

ssl_unclean_shutdown on
cache_peer XYZ1       parent    8080  0 proxy-only default
cache_peer XYZ2       parent    8080  0 proxy-only

connect_timeout 20 seconds
peer_connect_timeout 20 seconds

acl QUERY urlpath_regex cgi-bin \?

cache_mem 2048 MB
cache_swap_low 90
cache_swap_high 95
#maximum_object_size 8192 KB
maximum_object_size 1024 KB
maximum_object_size_in_memory 16 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_dir aufs /var/cache/squid 1000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

debug_options ALL,1

# add by RA 11/04/2011
minimum_object_size 10 KB
client_persistent_connections on
server_persistent_connections on
half_closed_clients off
# end by RA

ftp_user ftp@XXX.cz
ftp_list_width 64
ftp_passive on

dns_nameservers 1.2.3.4 2.3.4.5

auth_param ntlm program /usr/bin/ntlm_auth -d 1 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 140
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth -d 6 --helper-protocol=squid-2.5-basic
auth_param basic children 8
auth_param basic realm Tidian webcache server
auth_param basic credentialsttl 5 hours

external_acl_type ntlm_group  ttl=3600 children=15 %LOGIN /usr/lib/squid/ewb_query.pl

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0
acl cp_mgmt src 157.206.50.192/28
acl ldaps src 157.206.55.171/32 157.206.55.172/32 157.206.56.125/32 157.206.56.126/32
acl infra src 10.44.69.10/255.255.255.255,10.44.69.12/255.255.255.255 10.9.7.18/255.255.255.255 10.44.2.76/255.255.255.255 157.206.54.76/255.255.255.255
acl manager proto cache_object
acl purge method PURGE
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port  8080
acl Safe_ports port 80 1024-65535       # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Ssl_ports port 443
acl Ext_ports port 80 443 21
#acl Ext_destdomains dstdomain .gmail.com .google.com .seznam.cz .hp.com .emea.csc.com .dctm.cz www.teamviewer.com .google.cz .cz
acl Ext_destdomains dstdomain .gmail.com .google.com .hp.com .emea.csc.com www.teamviewer.com .cz
acl Power_ports port 81 1024-65535 21
acl Power_destdomains dstdomain synthon.nl christian-weihs.de white.labware.com fo.actavis.com 
acl Power_destdomains dstdomain cz.zen.actum.cz
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED
acl citrix_src src 157.206.58.187
acl citrix_dest dst 193.179.205.230
acl citrix_port port 443
acl dstdomain_whitelist dstdomain "/etc/squid/whitelists/dstdomain_whitelist"
acl hpsim_src src 157.206.57.110
acl hpsim_port port 443
acl hpsim_destdomains dstdomain rsswm.software.hp.com rsswm.policy.hp.com services.isee.hp.com
acl symantec_dest dstdomain symantec.com symanteclive.update.com
acl symantec_src src 10.72.0.14
acl symantec_ports port 80 443
#acl blacklist url_regex "/etc/squid/blacklist.lst"
acl numeric url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
#acl torrent url_regex torrent
acl wapp_dest dstdomain wapp.com
acl wapp_port port 443
acl qualys_src src 157.206.31.177
acl qualys_port port 443
acl apc_src src 157.206.49.70 157.206.49.101
acl apc_dest dstdomain activation.apc.com autoupdatev2.apcc.com
acl apc_port port 80 443
acl admin src 7.27.120.0/29
acl fb_deny dstdomain facebook.com www.facebook.com
acl andip src 7.27.90.246
#acl chunked dstdomain customer.synthon.nl

acl ftp_port port 21
no_cache deny all

acl JavaApp browser Java/1.4 Java/1.5 Java/1.6
acl webproxy_admin_access_CZ external ntlm_group webproxy_admin_access_CZ
acl webproxy_user_access_CZ external ntlm_group webproxy_user_access_CZ
acl webproxy_power_access_CZ external ntlm_group webproxy_power_access_CZ
acl webproxy_ext_access_CZ external ntlm_group webproxy_ext_access_CZ
acl webproxy_admin_access_SK external ntlm_group webproxy_admin_access_SK
acl webproxy_user_access_SK external ntlm_group webproxy_user_access_SK
acl webproxy_power_access_SK external ntlm_group webproxy_power_access_SK
acl webproxy_admin_access_RO external ntlm_group webproxy_admin_access_RO
acl webproxy_user_access_RO external ntlm_group webproxy_user_access_RO
acl webproxy_power_access_RO external ntlm_group webproxy_power_access_RO
acl webproxy_admin_access_TR external ntlm_group webproxy_admin_access_TR
acl webproxy_user_access_TR external ntlm_group webproxy_user_access_TR
acl webproxy_power_access_TR external ntlm_group webproxy_power_access_TR
acl webproxy_admin_access_BG external ntlm_group webproxy_admin_access_BG
acl webproxy_user_access_BG external ntlm_group webproxy_user_access_BG
acl webproxy_power_access_BG external ntlm_group webproxy_power_access_BG
acl webproxy_user_access_LV external ntlm_group webproxy_user_access_LV
acl webproxy_power_access_LV external ntlm_group webproxy_power_access_LV
acl webproxy_admin_access_LV external ntlm_group webproxy_admin_access_LV
acl webproxy_ext_access_LV external ntlm_group webproxy_ext_access_LV
acl webproxy_user_access_PL external ntlm_group webproxy_user_access_PL
acl webproxy_power_access_PL external ntlm_group webproxy_power_access_PL
acl webproxy_admin_access_PL external ntlm_group webproxy_admin_access_PL
acl webproxy_ext_access_PL external ntlm_group webproxy_ext_access_PL

acl googlevideo_user src 10.40.0.20
acl googlevideo_dst dstdomain .googlevideo.com
acl hd85078_dst dst 125.18.138.9
acl hd85078_dstport port 89
acl mbl_block url_regex -i "/etc/squid/mbl.lst"

# Pokus kvuli NTLM 30.3.2011 PavelK

#acl permit_direct_http dstdomain customer.synthon.nl myaet.com
#always_direct allow permit_direct_http

#acl nocache_http dstdomain customer.synthon.nl myaet.com
#no_cache deny nocache_http

# vypnuto 18.3. 2011 - Such
#url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf

http_access allow manager localhost
http_access allow purge localhost
http_access deny manager
http_access deny purge
http_access allow googlevideo_user googlevideo_dst Safe_ports
http_access allow wapp_dest wapp_port
#http_access deny torrent
#http_access deny blacklist
#http_access allow andip fb_deny
#http_access deny fb_deny
http_access deny mbl_block
http_access allow localhost
http_access allow JavaApp
http_access allow citrix_src citrix_dest citrix_port
http_access allow cp_mgmt all Safe_ports
http_access allow ldaps all Safe_ports
http_access allow infra all Safe_ports
http_access allow hd85078_dst all hd85078_dstport
http_access allow hpsim_src hpsim_port hpsim_destdomains
http_access allow symantec_dest symantec_src symantec_ports
http_access allow qualys_src all qualys_port
http_access allow dstdomain_whitelist Safe_ports
http_access allow apc_src apc_dest apc_port
http_access allow admin Safe_ports
http_access allow password webproxy_power_access_CZ all Power_ports Power_destdomains !JavaApp
http_access allow password webproxy_admin_access_CZ all Power_ports Power_destdomains !JavaApp
http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access deny CONNECT numeric !Ssl_ports
http_access allow password webproxy_admin_access_CZ all
http_access allow password webproxy_admin_access_SK all
http_access allow password webproxy_admin_access_RO all
http_access allow password webproxy_admin_access_TR all
http_access allow password webproxy_admin_access_BG all
http_access allow password webproxy_admin_access_LV all
http_access allow password webproxy_admin_access_PL all
http_access allow password webproxy_power_access_CZ all !ftp_port
http_access allow password webproxy_power_access_SK all !ftp_port
http_access allow password webproxy_power_access_RO all !ftp_port
http_access allow password webproxy_power_access_TR all !ftp_port
http_access allow password webproxy_power_access_BG all !ftp_port
http_access allow password webproxy_power_access_LV all !ftp_port
http_access allow password webproxy_power_access_PL all !ftp_port
http_access allow password webproxy_user_access_CZ all !ftp_port
http_access allow password webproxy_user_access_SK all !ftp_port
http_access allow password webproxy_user_access_RO all !ftp_port
http_access allow password webproxy_user_access_TR all !ftp_port
http_access allow password webproxy_user_access_BG all !ftp_port
http_access allow password webproxy_user_access_LV all !ftp_port
http_access allow password webproxy_user_access_PL all !ftp_port
http_access allow password webproxy_ext_access_CZ Ext_ports Ext_destdomains all
http_access allow password webproxy_ext_access_LV Ext_ports Ext_destdomains all
http_reply_access allow all
http_access deny all
#header_access Accept-Encoding deny chunked

acl public_snmp snmp_community cvg
snmp_port 3401
snmp_access allow public_snmp localhost
snmp_access deny all

icp_access deny all

cache_mgr root@ja.cz
cachemgr_passwd squid all

visible_hostname proxy

logfile_rotate 0
log_icp_queries on

never_direct allow all

error_directory /usr/share/squid/errors/squid

#coredump_dir /var/spool/squid
coredump_dir none

/proc/cpuinfo

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Xeon(R) CPU            5160  @ 3.00GHz
stepping        : 6
cpu MHz         : 3000.113
cache size      : 4096 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_tsc pni monitor ds_cpl vmx est tm2 cx16 xtpr lahf_lm
bogomips        : 6004.35
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Xeon(R) CPU            5160  @ 3.00GHz
stepping        : 6
cpu MHz         : 3000.113
cache size      : 4096 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_tsc pni monitor ds_cpl vmx est tm2 cx16 xtpr lahf_lm
bogomips        : 6000.20
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

velikost RAM 4GB

/etc/sysctl.conf

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_max_syn_backlog=1280
net.ipv4.tcp_syncookies=1

kernel.sysrq = 0
kernel.core_uses_pid = 1

net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0

# add by RA
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216

Dotaz: pomaly squid