[squid-users] Slow Squid

Patrick Flaherty vze2k3sa at verizon.net
Wed Dec 9 15:29:06 UTC 2015 

Hi ,

I have changed my 3.5.11 squid.conf based on your excellent feedback Amos.
Please have a look at my edits to see if it is improved.

Thank You,
Patrick

# Squid Proxy Configuration

# listening port
http_port     3128

# max_filedesc
max_filedesc  2048

# debug_options	ALL,2


# acl directives for ports and protocols
acl http      proto      http
acl https     proto      https
acl port_80   port       80
acl sslports  port       443
acl CONNECT   method     CONNECT


# acl and http_access ("rmsc.txt")
acl whitelist dstdomain  "c:/squid/etc/squid/rmsc.txt"
http_access 	allow 	whitelist
http_access 	deny 	whitelist

# network source of proxy traffic (Specific Network Example 192.168.1.0/24)
acl localnet  src        172.16.50.0/24
http_access allow localnet
http_access deny localnet


# localhost proxy access
#acl localhost src 127.0.0.1/32
#http_access allow localhost

# rules allowing proxy access
#http_access allow http    port_80  whitelist localnet
#http_access allow https   sslports whitelist localnet

# dns servers (Change dns_nameservers to client dns servers for consistency
and better performance)
dns_nameservers 172.16.50.9 172.16.9.13

# cache web pages
cache_mem 512 MB

# roll log file daily and keep 30 days
logfile_rotate 30

# access log format         (Having one problem with the Default Squid log
and that is the timestamp being Epoch and not human readable on Windows
platform)
logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

# catch-all rule
http_access deny all

----------------------------------------------------------------------------
-----------------------------
Message: 2
Date: Wed, 9 Dec 2015 14:56:23 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Slow Squid
Message-ID: <56678A47.8000600 at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 9/12/2015 1:50 p.m., Patrick Flaherty wrote:
> Hi,
> 
>  
> 
> My Squid Server is much slower to go through than direct access to the 
> internet. I would expect it to be slower but not dramatically slower. 
> Any tips to speed it up? It's only used to access 8 whitelisted 
> domains. I am not using the disk based cache as it's only 8 sites 
> total we hit. See my squid config below and please offer any suggestions.
> 


What Squid version are you using?
 And what are the values for "slower" ?


> 
> # acl and http_access to ("whitelist.txt")
> 
> acl whitelist dstdomain  "c:/squid/etc/squid/whitelist.txt"

[ I'm not sure if this following applies to the Cygwin builds. It may not,
but since the FD limit is actually coming from the Windows kernel itself it
might anyway. ]

On Windows the proxy faces an absolute OS limit of 2048 FD that are
available per-process group.

Since each transaction/request uses 2-3 FD that means Squid on Windows can
service no more than ~1,000 RPS regardless of CPU capacity. Keeping in mind
modern browsers open 6 connections to a proxy, that means
160-200 concurrent visitors.

By comparison non-Windows proxies can reach ~20,000 RPS with up to 10K
concurrent visitors. So "slow" is par for the course on Windows (if you have
a lot of users).


> 
> http_access        allow     whitelist
> 

At this point, anybody from anywhere (the whole Internet) who can access the
proxy is allowed to fetch anythign from the whitelisted servers/domains
through it. No other limits on those servers.

>  
> 
> # network source of proxy traffic
> 
> acl localnet  src        all
> 

So you are defining the entire Internet as being your LAN.

All the security controls, both those configured in your squid.conf
*and* any default built-in Squid settings that restrict access to the LAN
will now be wide open to any external visitor.


> 
> # acl directives for ports and protocols
> 
> acl http      proto      http
> 
> acl https     proto      https
> 
> acl port_80   port       80
> 
> acl sslports  port       443
> 
> acl CONNECT   method     CONNECT
> 
>  
> 
> # localhost proxy access
> 
> acl localhost src 127.0.0.1/32
> 
> http_access allow localhost
> 

You now have unlimited access to any of the whitelisted domains (from
earlier) *or* to anywhere at all when coming from localhost.

Note that this is *extending* the built-in definition of localhost ACL (if
you have a current Squid) which already includes the entire 127/8 and ::1
network ranges.


> 
> # rules allowing proxy access
> 
> http_access allow http    port_80  whitelist localnet
> 
> http_access allow https   sslports whitelist localnet
> 

These ACLs do nothing but waste CPU. All requests for whitelist domains are
permitted earlier without the protocol and port restrictions.


>  
> 
> # dns servers (Change dns_nameservers to client dns servers for 
> consistency and better performance)
> 
> dns_nameservers 172.16.50.1 172.16.50.9
> 
>  
> 
> # cache web pages directory
> 
> #cache_dir ufs C:/Squid/var/cache/squid 100 16 256
> 
> cache_mem 64 MB
> 

There are two implications from this 64MB of RAM cache.

Firstly, memory cache is the primary source of traffic acceleration for
Squid. Having only a small amount limits how much acceleration Squid can do
when the proxy is under load.


If the machine the proxy is running on is an embeded device or minimal VM so
limited that it can only spare 64MB of RAM for caching. Then it is likely
that the available CPU is also constrained and that prpcessor limit may be
the direct cause of the proxy being slow.


>  
> 
> # log file roll weekly
> 
> logfile_rotate 7
> 

NP: most systems default to daily for this AFAIK. If the logs get very big
then the filesystem can cause slowdown appending to them. I'm not sure if
that is relevant for your case, but worth checking.


> 
> # access log rules
> 
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
> 

Do not redefine a built-in log format. Either use the built-in definition,
or make your custom one have a different name.


Amos



------------------------------

Message: 3
Date: Wed, 9 Dec 2015 21:49:12 +1100
From: Alex Samad <alex at samad.com.au>
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid reverse proxy infront of exchange
	2010
Message-ID:
	<CAJ+Q1PUBccbhFZDrg4C8O_rpN6_+tRsK-HVM1UyY_72ZMBzimg at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Hi

Can't seem to find  3.5.12 for centos pre compiled at
http://www1.ngtech.co.il/repo/centos/6/x86_64/


On 8 December 2015 at 19:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> * try an upgrade to 3.5.12. There were some regressions in the .10/.11 
> releases that can lead to really weird behaviour.


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 16, Issue 32
*******************************************

More information about the squid-users mailing list