[squid-users] Understanding maximum outgoing HTTP CONNECT requests?

divan.whelk.0u at icloud.com divan.whelk.0u at icloud.com
Sat Mar 4 12:42:53 UTC 2023 

 
Thank you for the prompt reply!

> - Squid can be configured to receive on up to 64 ports.
>   Thus dst-port on **inbound** is 2^6.

> outbound =  N * 2^6 * 2^128 * 2^16 = N * 2^150

Would that be 2^6 dst-port on outbound, rather than inbound (ignoring Alt-Svc)? Or am misunderstand the theoretical limit formulae after?

> Thus total theoretical limit of simultaneous connections Squid can be juggling is  N * 2^151.

So, for example a single box HTTP CONNECT proxy might be listening on one IPv4 address and one IPv6 address, which would be making the outbound connections (and opening the TCP tunnel) and only able to make outbound connections to either port 80 or 443 (2^16 for each respective port, ignoring Alt-Svc). 

Whereas for incoming, listening on dst-port (3128) (2^16 incoming), with a theoretical limit of 2^32 IPv4 addresses or 2^128 IPv6 addresses (or do you use 2^128 including IPv4)?

> Reality can be significantly different for any given installation, but is imposed by configuration choices and thus can be altered as needed.

Understood, thanks! I think I’ve got a good idea now, with the clarifications.

Alex

> On 17 Feb 2023, at 20:18, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 18/02/2023 12:14 am, divan.whelk.0u wrote:
>> Hi there!
>> 
>> I’m trying to understand what would the “theoretical” maximum amount of outgoing connections with squid setup as a HTTP CONNECT forward proxy would be (hardware permitting)?
> 
> As you likely know, each TCP/IP connection uses a 4-tuple identifier {src-IP, src-port, dst-IP, dst-port}.
> 
> So at face value there is a protocol imposed cap of (2^128 * 2^16 * 2^128 * 2^16) = 2^288 connections.
> 
> Being theoretical we have:
>     * ignored reserved IP ranges,
>     * ignored OS-specific ephemeral port reservations,
>     * assumed IPv6 availability, and
>     * assumed no access restrictions in Squid, network routing, nor firewall.
> 
> The factors to consider are:
> 
>  - Squid machine can be assigned multiple IP's.
>     Thus src-IP on outbound and dst-IP on inbound are that N.
> 
>  - Squid can be configured to receive on up to 64 ports.
>    Thus dst-port on inbound is 2^6.
> 
>  - DNS can provide any number of IPs for any given server name.
>     Thus outbound dst-IP can be any 2^128 value.
> 
>  - modern websites use use Alt-Svc to spread across ports.
>     Thus outbound dst-port can be any 2^16 value.
> 
> So for theoretical limit the math is:
> 
>  inbound =    2^128 * 2^16 * N * 2^16  = N * 2^160
> 
>  outbound =  N * 2^6 * 2^128 * 2^16 = N * 2^150
> 
> Inbound and outbound are normally independent, but CONNECT is a special case where they are pinned 1:1.
> 
> Thus total theoretical limit of simultaneous connections Squid can be juggling is  N * 2^151.
> 
> Reality can be significantly different for any given installation, but is imposed by configuration choices and thus can be altered as needed.
> 
> 
>> From the [squid-users] About bottlenecks (Max number of connections, etc.) thread, I saw mention of the following:
>> 
>>> * The limit on number of connections any Squid can have attached is only limited by your configured FD limits and available server RAM. Squid uses ~64 KB per network socket for traffic state - which equates to around 2 GB of RAM just for I/O buffers at 20,000 concurrent client connections.
>> I assume the same would not apply on outgoing connections, and that there would be a limit of 65,536 connections to a single IP, port pair? For example, if we had 1 million users making requests via HTTP CONNECT, only 65K of them would be able to access the same website at any one time?
> 
> IIRC that quoted thread was discussing a Squid with more normal multiple-destination case hitting FD limits.  The 64K port limitation you refer to is a special case contingent on the "single destination with single IP:port" criteria - which itself is rarely true for a popular website. It assumes configuration restriction imposing that criteria somehow.
> 
> 
> Cheers
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list