<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">22.03.2018 23:10, Keith Hartley пишет:<br>
</div>
<blockquote type="cite"
cite="mid:BLUPR06MB1747D5BF0659E34BFE3FE7E6EEA90@BLUPR06MB1747.namprd06.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I am using squid 3.5 for windows as a
transparent proxy to provide internet access to 7 servers in a
secure environment that otherwise does not have internet
access. I have two squids running behind a load balancer, each
one is running server 2016 core with 2 Xeon processors that is
either haswell generation with 1:1 physical processor to
virtual processor mapping or a hyper-threading Broadwell
generation processor that is 1:1 logical processor to virtual
processor mapping, depending on how they are provisioned when
they get started.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doing a bandwidth test directly in the VM I
am able to get internet throughput of 800-1200 Mbps.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doing a file copy to and from the VM I am
able to get 1200 Mbps lan throughput.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In proxied uploads I have observed speeds
as high as 120 Mbps, which is more than enough for what I need
and the bottleneck is likely in the backup software rather
than squid. Uploads performance I am not worried about where
they are at now – even if I only got 20-30 Mbps it would be
adequate for what I need it for.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Downloads however are very slow. Small
files do not seem to be impacted. Using the test a
thinkbroadband.com/download, files up to 20 Mb will download
at a reasonable 20-30 Mbps, but when I get to 50, it slows
down to about 17 Mbps, and when I download AD Connect from
Microsoft, which is about 80 Mb, I can see it start at about
30 Mbps, but eventually goes down to about 115 kbps and levels
off. When I put an IP on the server I am using for testing
that proxies through squid, I am able to download the file at
several hundred mbps. When I download the same file on the
squid server – I can’t tell exactly what throughput I was
getting, but the 80 Mb file downloaded within 5 seconds.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In both squid servers, other than when the
servers were booting, processor activity has not exceeded 9%
in the last 7 days but usually sits below 2%. Memory usage has
not exceeded 2 Gb, leaving 2 Gb free.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using OpenDNS for a DNS source, and
have tried changing DNS to level3 but it made no performance
difference.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think that this may be squid trying to
cache something, but had tried to turn all caching off.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My cache.log doesn’t really have anything
interesting in it that I can see. It’s the same ~30 or so log
entries each time the service starts, and that is about it.
Here it is:
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Set Current
Directory to /var/cache/squid<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Starting Squid
Cache version 3.5.27 for x86_64-unknown-cygwin...<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Service Name:
squid<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Process ID 1164<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Process Roles:
worker<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| With 3200 file
descriptors available<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Initializing IP
Cache...<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| parseEtcHosts:
/etc/hosts: (2) No such file or directory<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| DNS Socket
created at [::], FD 5<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| DNS Socket
created at 0.0.0.0, FD 6<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Adding nameserver
208.67.222.222 from squid.conf<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Adding nameserver
208.67.220.220 from squid.conf<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Logfile: opening
log daemon:/var/log/squid/access.log<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Logfile Daemon:
opening log /var/log/squid/access.log<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| WARNING: no_suid:
setuid(0): (22) Invalid argument<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Store logging
disabled<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Swap maxSize 0 +
262144 KB, estimated 20164 objects<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Target number of
buckets: 1008<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Using 8192 Store
buckets<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Max Mem size:
262144 KB<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Max Swap size: 0
KB<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Using Least Load
store dir selection<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Set Current
Directory to /var/cache/squid<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Finished loading
MIME types and icons.<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| HTCP Disabled.<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Squid plugin
modules loaded: 0<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Adaptation
support is off.<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:27 kid1| Accepting HTTP
Socket connections at local=[::]:3128 remote=[::] FD 10
flags=9<o:p></o:p></p>
<p class="MsoNormal">2018/03/22 09:47:28 kid1| storeLateRelease:
released 0 objects<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">And this is my squid.conf:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># Recommended minimum configuration:<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Example rule allowing access from your
local networks.<o:p></o:p></p>
<p class="MsoNormal"># Adapt to list your (internal) IP networks
from where browsing<o:p></o:p></p>
<p class="MsoNormal"># should be allowed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#acl localnet src 10.0.0.0/8 #
RFC1918 possible internal network<o:p></o:p></p>
<p class="MsoNormal">#acl localnet src 172.16.0.0/12 #
RFC1918 possible internal network<o:p></o:p></p>
<p class="MsoNormal">#acl localnet src 192.168.0.0/16 # RFC1918
possible internal network<o:p></o:p></p>
<p class="MsoNormal">acl localnet src fc00::/7 # RFC 4193
local private network range<o:p></o:p></p>
<p class="MsoNormal">acl localnet src fe80::/10 # RFC 4291
link-local (directly plugged) machines<o:p></o:p></p>
<p class="MsoNormal">acl WSUS src 192.168.225.4/32<o:p></o:p></p>
<p class="MsoNormal">acl BACKUP src 192.168.225.11/32<o:p></o:p></p>
<p class="MsoNormal">acl ADFS src 192.168.224.7/32<o:p></o:p></p>
<p class="MsoNormal">acl ADFS src 192.168.228.8/32<o:p></o:p></p>
<p class="MsoNormal">acl DEVWEB src 192.168.226.6/32<o:p></o:p></p>
<p class="MsoNormal">acl UATWEB src 192.168.226.13/32<o:p></o:p></p>
<p class="MsoNormal">acl PRDWEB src 192.168.226.8/32<o:p></o:p></p>
<p class="MsoNormal">acl PRDWEB src 192.168.226.9/32<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">acl SSL_ports port 443<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 80 #
http<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port 21 #
ftp<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 443 #
https<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port 70 #
gopher<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
210 # wais<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
1025-65535 # unregistered ports<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
280 # http-mgmt<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
488 # gss-http<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
591 # filemaker<o:p></o:p></p>
<p class="MsoNormal">#acl Safe_ports port
777 # multiling http<o:p></o:p></p>
<p class="MsoNormal">acl CONNECT method CONNECT<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># Recommended minimum Access Permission
configuration:<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Only allow cachemgr access from localhost<o:p></o:p></p>
<p class="MsoNormal">#http_access allow localhost manager<o:p></o:p></p>
<p class="MsoNormal">#http_access deny manager<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Deny requests to certain unsafe ports<o:p></o:p></p>
<p class="MsoNormal">http_access deny !Safe_ports<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Deny CONNECT to other than secure SSL
ports<o:p></o:p></p>
<p class="MsoNormal">http_access deny CONNECT !SSL_ports<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># We strongly recommend the following be
uncommented to protect innocent<o:p></o:p></p>
<p class="MsoNormal"># web applications running on the proxy
server who think the only<o:p></o:p></p>
<p class="MsoNormal"># one who can access services on
"localhost" is a local user<o:p></o:p></p>
<p class="MsoNormal">#http_access deny to_localhost<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"># INSERT YOUR OWN RULE(S) HERE TO ALLOW
ACCESS FROM YOUR CLIENTS<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Example rule allowing access from your
local networks.<o:p></o:p></p>
<p class="MsoNormal"># Adapt localnet in the ACL section to list
your (internal) IP networks<o:p></o:p></p>
<p class="MsoNormal"># from where browsing should be allowed<o:p></o:p></p>
<p class="MsoNormal">http_access allow localnet<o:p></o:p></p>
<p class="MsoNormal">http_access allow localhost<o:p></o:p></p>
<p class="MsoNormal">http_access allow WSUS<o:p></o:p></p>
<p class="MsoNormal">http_access allow ADFS<o:p></o:p></p>
<p class="MsoNormal">http_access allow BACKUP<o:p></o:p></p>
<p class="MsoNormal">http_access allow DEVWEB<o:p></o:p></p>
<p class="MsoNormal">http_access allow UATWEB<o:p></o:p></p>
<p class="MsoNormal">http_access allow PRDWEB<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># And finally deny all other access to this
proxy<o:p></o:p></p>
<p class="MsoNormal">http_access deny all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Squid normally listens to port 3128<o:p></o:p></p>
<p class="MsoNormal">http_port 3128<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Uncomment the line below to enable disk
caching - path format is /cygdrive/<full path to cache
folder>, i.e.<o:p></o:p></p>
<p class="MsoNormal">#cache_dir aufs /cygdrive/d/squid/cache
3000 16 256<o:p></o:p></p>
<p class="MsoNormal">cache deny all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Leave coredumps in the first cache dir<o:p></o:p></p>
<p class="MsoNormal">coredump_dir /var/cache/squid<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Add any of your own refresh_pattern
entries above these.<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern ^ftp:
1440 20% 10080<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern ^gopher:
1440 0% 1440<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern -i (/cgi-bin/|\?)
0 0% 0<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern
. 0 20% 4320<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">dns_nameservers 208.67.222.222
208.67.220.220<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">max_filedescriptors 3200<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Does anyone see anything I am missing here?</p>
</div>
</blockquote>
Yes. In your almost default configuration (it is complete
squid.conf?) obvious thing is:<br>
<br>
a) You do not use on-disk cache.<br>
b) You use memory cache by default - i.e. 256 Mb. <br>
c) You cache nothing due to deny all cache. So, it makes useless
cache_mem default.<br>
d) Your configuration technically useless. I see neither proxying
parameters, nor caching. Your squid now only additional hop for
files. No more.<br>
<br>
So, squid nothing to do here. It simple should retransmit GET (GET?)
request to server, and, without any caching/storing, retransmit it
to user.<br>
<br>
Still correct?<br>
<br>
This put us directly to raw network IO. Without any buffering (which
can be - but don't - your squid).<br>
<br>
On your place, I can start playing around with cache_mem parameter;
of course, only after removing cache deny all.<br>
<br>
And after some experiments, may be, will make <span
class="gt-baf-word-clickable">decision</span> about drop out
useless Squid's box.<br>
<br>
Seriously, what role of squid's here? Just setup border firewall to
your servers to access it to Internet. It will be enough.<br>
<br>
<blockquote type="cite"
cite="mid:BLUPR06MB1747D5BF0659E34BFE3FE7E6EEA90@BLUPR06MB1747.namprd06.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My access.log doesn’t really have anything
interesting in it either, it just looks like it is working
normally. I can attach that too if anyone wants to look at it
after I redact some of the hosts.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:#0072BE">Keith Hartley<o:p></o:p></span></b></p>
<p class="MsoNormal"><i>Network Engineer II<o:p></o:p></i></p>
<p class="MsoNormal"><i>MCSE: Productivity, MCSA: Server 2008,
2012, Office 365 </i>
|<o:p></o:p></p>
<p class="MsoNormal"><i>Certified Meraki Network Associate,
Security+<o:p></o:p></i></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt">Geocent,
LLC<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="color:#8BC541">o:</span></b><span
style="color:#8BC541">
</span>504-405-3578<o:p></o:p></p>
<p class="MsoNormal"><b><span style="color:#8BC541">a:</span></b><span
style="color:#8BC541">
</span>2219 Lakeshore drive Ste 300, New Orleans, LA 70122<o:p></o:p></p>
<p class="MsoNormal"><b><span style="color:#8BC541">w:</span></b><span
style="color:#8BC541">
</span><a href="http://www.geocent.com/"
moz-do-not-send="true"><span style="color:#0563C1">www.geocent.com</span></a>|<b><span
style="color:#8BC541"> e:</span></b><span
style="color:#8BC541">
</span><a href="mailto:khartley@geocent.com"
moz-do-not-send="true"><span style="color:#0563C1">khartley@geocent.com</span></a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<div style="font-size:8.0pt; font-style: italic; font-weight:
bold; text-decoration: underline;">
Confidentiality Notice:</div>
<div style="font-size:6.0pt">This email communication may contain
confidential information, may be legally privileged, and is
intended only for the use of the intended recipients(s)
identified. Any unauthorized review, use, distribution,
downloading, or copying of this communication is strictly
prohibited. If you are not the intended recipient and have
received this message in error, immediately notify the sender by
reply email, delete the communication, and destroy all copies.
Thank you.</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>