[squid-users] Slow Squid
vze2k3sa at verizon.net
Wed Dec 9 15:29:06 UTC 2015
I have changed my 3.5.11 squid.conf based on your excellent feedback Amos.
Please have a look at my edits to see if it is improved.
# Squid Proxy Configuration
# listening port
# debug_options ALL,2
# acl directives for ports and protocols
acl http proto http
acl https proto https
acl port_80 port 80
acl sslports port 443
acl CONNECT method CONNECT
# acl and http_access ("rmsc.txt")
acl whitelist dstdomain "c:/squid/etc/squid/rmsc.txt"
http_access allow whitelist
http_access deny whitelist
# network source of proxy traffic (Specific Network Example 192.168.1.0/24)
acl localnet src 172.16.50.0/24
http_access allow localnet
http_access deny localnet
# localhost proxy access
#acl localhost src 127.0.0.1/32
#http_access allow localhost
# rules allowing proxy access
#http_access allow http port_80 whitelist localnet
#http_access allow https sslports whitelist localnet
# dns servers (Change dns_nameservers to client dns servers for consistency
and better performance)
dns_nameservers 172.16.50.9 172.16.9.13
# cache web pages
cache_mem 512 MB
# roll log file daily and keep 30 days
# access log format (Having one problem with the Default Squid log
and that is the timestamp being Epoch and not human readable on Windows
logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# catch-all rule
http_access deny all
Date: Wed, 9 Dec 2015 14:56:23 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Slow Squid
Message-ID: <56678A47.8000600 at treenet.co.nz>
Content-Type: text/plain; charset=utf-8
On 9/12/2015 1:50 p.m., Patrick Flaherty wrote:
> My Squid Server is much slower to go through than direct access to the
> internet. I would expect it to be slower but not dramatically slower.
> Any tips to speed it up? It's only used to access 8 whitelisted
> domains. I am not using the disk based cache as it's only 8 sites
> total we hit. See my squid config below and please offer any suggestions.
What Squid version are you using?
And what are the values for "slower" ?
> # acl and http_access to ("whitelist.txt")
> acl whitelist dstdomain "c:/squid/etc/squid/whitelist.txt"
[ I'm not sure if this following applies to the Cygwin builds. It may not,
but since the FD limit is actually coming from the Windows kernel itself it
might anyway. ]
On Windows the proxy faces an absolute OS limit of 2048 FD that are
available per-process group.
Since each transaction/request uses 2-3 FD that means Squid on Windows can
service no more than ~1,000 RPS regardless of CPU capacity. Keeping in mind
modern browsers open 6 connections to a proxy, that means
160-200 concurrent visitors.
By comparison non-Windows proxies can reach ~20,000 RPS with up to 10K
concurrent visitors. So "slow" is par for the course on Windows (if you have
a lot of users).
> http_access allow whitelist
At this point, anybody from anywhere (the whole Internet) who can access the
proxy is allowed to fetch anythign from the whitelisted servers/domains
through it. No other limits on those servers.
> # network source of proxy traffic
> acl localnet src all
So you are defining the entire Internet as being your LAN.
All the security controls, both those configured in your squid.conf
*and* any default built-in Squid settings that restrict access to the LAN
will now be wide open to any external visitor.
> # acl directives for ports and protocols
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl sslports port 443
> acl CONNECT method CONNECT
> # localhost proxy access
> acl localhost src 127.0.0.1/32
> http_access allow localhost
You now have unlimited access to any of the whitelisted domains (from
earlier) *or* to anywhere at all when coming from localhost.
Note that this is *extending* the built-in definition of localhost ACL (if
you have a current Squid) which already includes the entire 127/8 and ::1
> # rules allowing proxy access
> http_access allow http port_80 whitelist localnet
> http_access allow https sslports whitelist localnet
These ACLs do nothing but waste CPU. All requests for whitelist domains are
permitted earlier without the protocol and port restrictions.
> # dns servers (Change dns_nameservers to client dns servers for
> consistency and better performance)
> dns_nameservers 172.16.50.1 172.16.50.9
> # cache web pages directory
> #cache_dir ufs C:/Squid/var/cache/squid 100 16 256
> cache_mem 64 MB
There are two implications from this 64MB of RAM cache.
Firstly, memory cache is the primary source of traffic acceleration for
Squid. Having only a small amount limits how much acceleration Squid can do
when the proxy is under load.
If the machine the proxy is running on is an embeded device or minimal VM so
limited that it can only spare 64MB of RAM for caching. Then it is likely
that the available CPU is also constrained and that prpcessor limit may be
the direct cause of the proxy being slow.
> # log file roll weekly
> logfile_rotate 7
NP: most systems default to daily for this AFAIK. If the logs get very big
then the filesystem can cause slowdown appending to them. I'm not sure if
that is relevant for your case, but worth checking.
> # access log rules
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
Do not redefine a built-in log format. Either use the built-in definition,
or make your custom one have a different name.
Date: Wed, 9 Dec 2015 21:49:12 +1100
From: Alex Samad <alex at samad.com.au>
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid reverse proxy infront of exchange
<CAJ+Q1PUBccbhFZDrg4C8O_rpN6_+tRsK-HVM1UyY_72ZMBzimg at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Can't seem to find 3.5.12 for centos pre compiled at
On 8 December 2015 at 19:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> * try an upgrade to 3.5.12. There were some regressions in the .10/.11
> releases that can lead to really weird behaviour.
Subject: Digest Footer
squid-users mailing list
squid-users at lists.squid-cache.org
End of squid-users Digest, Vol 16, Issue 32
More information about the squid-users