[squid-users] Transparent vs Tproxy: performance ?

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 1 15:07:02 UTC 2018

On 1/09/18 9:33 PM, David Touzeau wrote:
> Hi
> We have 2 ways to make the squid in « transparent mode. »
> The standard Transparent method and (with modern kernels)  the use of
> « Tproxy » method

Please clarify what this "standard transparent" thing is you referring to?

I suspect that you actually mean "NAT" which is completely separate from
Squid and thus has no bearing on proxy performance.

> I would like to know which is the best according to the performance ?

This is a meaningless question. "comparing apples to oranges", etc.

You might as well ask if NAT is faster or slower than packet flow?

Both NAT and TPROXY involve kernel managing tables of active connections
and syscalls by Squid to search those tables on every accept(). Only the
timing of those syscalls and the state listed in the tables differ. The
limitations each imposes are more relevant than performance differences.


* TPROXY restricts the TCP ports available to clients to 31K, where
normally they are 63K.

* NAT systems restrict ports to (63*M)/N where N is number of clients on
the network, and M the number of IPs available to Squid outbound
(usually 1).

As you can see those will impose a cap on both performance and
capability of your network. How much is determined by your network size
and traffic peak flows. Not by anything related to Squid.

Squid performance should be essentially the same for all traffic
"modes". It is driven by the HTTP features used in the messages
happening, combined with what types of processing your config requires
to be done on those messages.
So by crafting the very extreme types of message one can flood a Gbps
network with a single HTTP request, or pass thousands of transactions
quickly over a 56Kbps modem link.


More information about the squid-users mailing list