[squid-users] How to configure Squid can improve the performance ?

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 11 04:02:02 UTC 2018 

On 11/04/18 13:48, 赵 俊 wrote:
> Thanks for reading my Email.
> 
> I have two questions:
> 
> My first question is how many maximum concurrent connection and the
> maximum new connection of squid are.
> 


There are 64K ports on an IP address. Your Squid and machine also has a
filedescriptors (FDs) limit it is 64K by default but may be smaller (eg
on Windows it is 256). The smaller of those two numbers is the upper
limit Squid can use.

The ports number is shared between client connections, server
connections and both types of ICAP connections.

The FDs number is shared by the same things as the ports number, as well
as disk files in-use.


You can maybe increase FDs with squid.conf max_filedescriptors, or if
that does not work rebuild Squid with --max-filedescriptors= build
option. Use the ulimit tool on non-Windows machines to increase the OS
limit before starting Squid.



> The second question is how to configure Squid can improve  the maximum
> concurrent connection,maximum new connection and the performance .
> 

If FD available is being your limit you can maybe increase it with
squid.conf max_filedescriptors config option. Of if that does not work
rebuild Squid with --max-filedescriptors= build option. Use the ulimit
tool on non-Windows machines to increase the OS limit before starting Squid.


> I used 3.5.27 version.
> 
> My squid.conf is:
...
> 
> # And finally deny all other access to this proxy
> acl NCACHE method GET
> store_miss deny all

The "store_miss deny all" above will be preventing HTTP objects from
caching. That means every request will consume one extra server
connection and ICAP RESPMOD connection.
 Your Squid will need some amount of less connections if things are
caching. So you may want to remove this.


> via off
> 
> # Squid normally listens to port 3128
> http_port 3128 
> https_port 192.168.XX.XXX:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem  options=NO_SSLv3,NO_SSLv2

NP: If cert= and key= are in the same file like this you do not have to
configure key=.

Also, for Squid-3.* add sslflags=NO_DEFAULT_CA on the above port line.
That will free up a lot of memory in OpenSSL for other things it may be
needed for.


> 
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> 
> ssl_bump peek ssl_step1
> ssl_bump stare ssl_step2
> ssl_bump bump ssl_step3
> 
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
> 

ssl_crtd is a little bit unusual for helpers in that it holds up the TLS
handshake which is somewhat critical to do fast. So it is probably best
to use more than startup=1 to reduce Squid memory usage and delays.

As a general "rule of thumb" look at your running proxy and see how many
helpers it is needing to start for your normal traffic. Use that as the
startup= value.



The below cache_dir, object_size, cache_mem, and cache_swap directives
are not useful while you have "store_miss deny all" preventing cache
storage being used.

> #Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /usr/local/squid/var/cache/squid 4096 16 256
> minimum_object_size 0 KB
> maximum_object_size 4096 KB
> maximum_object_size_in_memory 4096 KB
> 
> ipcache_size 1024 MB
> ipcache_low 90
> ipcache_high 95
> fqdncache_size 1024 MB
> 
> cache_mem 2048 MB
> cache_swap_low 90
> cache_swap_high 95
> 
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
> 
> #icap
> icap_enable on
> icap_preview_enable on
> icap_preview_size 1024
> icap_send_client_ip on
> adaptation_meta X-Client-Port "%>p"
> icap_206_enable on
> icap_persistent_connections off

The above disable of persistence on ICAP connections will be slowing
Squid down since it has to repeat TCP handshakes *twice* for every
single message through the proxy.


> 
> icap_service service_req reqmod_precache 0 icap://192.168.XX.XXX:1344/echo
> icap_service service_res respmod_precache 1 icap://192.168.XX.XXX:1344/echo
> adaptation_access service_res allow all
> adaptation_access service_req allow all
> 

You can maybe improve ICAP connection use by tuning some traffic not to
use adaptation. For example CONNECT messages are being SSL-Bump'ed so
they are best not to be adapted.
For example:
  adaptation_access service_req deny CONNECT
  adaptation_access service_req allow all


Amos

More information about the squid-users mailing list