[cobalt-users] Qube3 + WebCache (Squid2) problem fixing

["Arnis" <graphics@xxxxxxxxxxxxxx>]

Hi all!

I just want to share my novice expierence about subj. - it maybe useful for
others.

So.
Subject:) - Qube3 (all patches applied) with enabled Webcache started up ~ 6
month ago.

Symptoms: 1. With enabled webcache processor usage climbs from ~10% up to
98% constantly.
2. There was strange incoming and outgoing traffic growth on secondary
network interface - there aren't any strange logs in backups. Traffic growth
match with Code Red activities.

Problem:
Squid eats up to 95% of processor all the time. I found out that in
/home/squid2/logs sit 300MB access.log and 80MB cache.log files. None of
them are located in backup files. The first one include large amount of
"outdoor activities" - someone use our Qube as a public proxy (there are
common practice of  ISPs that non-domestic traffic is for additional fee,
therefore domestic public proxy with access to world is quite interesting
for large amount of people). The second file, except some strings, was full
with warning messages (every 10 seconds) about disk space over limit
(512MB).
Cheking out squid.conf I found that all hosts are allowed to use proxy,
cache_swap_low and cache_swap_high parameters was disabled, logrotate set to
1.

Solution:
According to www.squid-cache.org  - Edit squid.conf - enable cache_swap_low
and cache_swap_high parameters, enlarge cache swap size to 1GB, enlarge
cache memory size to default value (8MB), set logrotate to 10. Then clean
and rebuild the cache, rotate logs manualy.
Block access to Squid listening port 3128 for "outdoor" with ipchains.

Results:
Processor usage drops to 5-10%, traffic also returns to normal level,
cache.log file is clean and nice:)

Question:
Can someone look at their squid.conf - I just want to understand - is this
problem SUN related or my box is hacked?
Why these important log files (and also httpd files: home-access,
home-error, adm-access, adm-error) aren't found in backups?

Thanks
Arnis