<!DOCTYPE html>
<html data-lt-installed="true">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="padding-bottom: 1px;">
<p>Hi</p>
<p>To handle this amount of traffic should I enable
client_persistent_connections and server_persistent_connections or
is it better to keep it disable?</p>
<p>Best regards<br>
</p>
<div class="moz-cite-prefix">On 31/01/2022 14:52, Eliezer Croitoru
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:000901d816b2$2d21cfd0$87656f70$@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hey Andre,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I <b>would not </b>recommend on 5.x yet
since there are couple bugs which are blocking it to be used
as stable.<o:p></o:p></p>
<p class="MsoNormal">I believe that your current setup is pretty
good.<o:p></o:p></p>
<p class="MsoNormal">The only thing which might affect the
system is the authentication and ACLs.<o:p></o:p></p>
<p class="MsoNormal">As long these ACL rules are static it
should not affect too much on the operation, however,<br>
When adding external authentication and external helpers for
other things it’s possible to see some slowdown in specific
scenarios.<o:p></o:p></p>
<p class="MsoNormal">As long as the credentials and the ACLs
will be fast enough it is expected to work fast but only
testing will prove how the real world usage<br>
will affect the service.<o:p></o:p></p>
<p class="MsoNormal">I believe that 5 workers is enough and also
take into account that the external helpers would also require
CPU so don’t rush into<br>
changing the workers amount just yet.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All The Bests,<o:p></o:p></p>
<p class="MsoNormal">Eliezer<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">----<o:p></o:p></p>
<p class="MsoNormal">Eliezer Croitoru<o:p></o:p></p>
<p class="MsoNormal">NgTech, Tech Support<o:p></o:p></p>
<p class="MsoNormal">Mobile: +972-5-28704261<o:p></o:p></p>
<p class="MsoNormal">Email: <a
href="mailto:ngtech1ltd@gmail.com" moz-do-not-send="true"
class="moz-txt-link-freetext">ngtech1ltd@gmail.com</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> André Bolinhas
<a class="moz-txt-link-rfc2396E" href="mailto:andre.bolinhas@articatech.com"><andre.bolinhas@articatech.com></a> <br>
<b>Sent:</b> Monday, January 31, 2022 15:47<br>
<b>To:</b> 'NgTech LTD' <a class="moz-txt-link-rfc2396E" href="mailto:ngtech1ltd@gmail.com"><ngtech1ltd@gmail.com></a><br>
<b>Cc:</b> 'Squid Users'
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><squid-users@lists.squid-cache.org></a><br>
<b>Subject:</b> RE: [squid-users] Tune Squid proxy to
handle 90k connection<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="PT">Hi<o:p></o:p></span></p>
<p class="MsoNormal">I will not use cache in this project.<o:p></o:p></p>
<p class="MsoNormal">Yes, I will need<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo3">ACL (based
on Domain, AD user, Headers, User Agent…)<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo3">Authentication<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo3">SSL bump
just for one domain.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo3">DNS
resolution (I will use Unbound DNS service for this)<o:p></o:p></li>
</ul>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal">Also, I will divide the traffic between two
Squid box instead just one.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So each box will handle around 50k request.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Each box have:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">CPU(s) 16<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">Threads per
code 2<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">Cores per
socket 8<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">Sockets 1<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">Inter Xeron
Silver 4208 @ 2.10GHz<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6">96GB Ram<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo6"><span
lang="PT">1TB raid-0 SSD</span><o:p></o:p></li>
</ul>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal">At this time I have 5 workers on each Squid
box and the Squid version is 4.17, do you recommend more
workers or upgrade the squid version to 5?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best regards<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="PT">De:</span></b><span
lang="PT"> NgTech LTD <<a
href="mailto:ngtech1ltd@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">ngtech1ltd@gmail.com</a>>
<br>
<b>Enviada:</b> 31 de janeiro de 2022 04:59<br>
<b>Para:</b> André Bolinhas <<a
href="mailto:andre.bolinhas@articatech.com"
moz-do-not-send="true" class="moz-txt-link-freetext">andre.bolinhas@articatech.com</a>><br>
<b>Cc:</b> Squid Users <<a
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true" class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a>><br>
<b>Assunto:</b> Re: [squid-users] Tune Squid proxy to
handle 90k connection<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="PT">I would recommend you
to start with 0 caching.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="PT">However, for choosing
the right solution you must give more details.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">For example there is
an IBM reasearch that prooved that for about 90k
connections you can use vm's ontop of such hardware
with apache web server.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">If you do have the
set of the other requirements from the proxy else then
the 90k requests it would be wise to mention them.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Do you need any
specific acls?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Do you need
authentication?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">etc..<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">For a simple forward
proxy I would suggest to use a simpler solution and if
possible to not log anything as a starter point.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Any local disk i/o will
slow down the machine.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">About the url
categorization, I do not have experience with ufdbguard
on such scale but it would be pretty heavy for any
software to handle 90k rps...<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"> It's doable to
implement such setup but will require testing.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Will you use ssl bump
in this setup?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">If I will have all the
technical and specs/requirements details I might be able
to suggest better then now.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Take into account that
each squid worker can handle about 3k rps tops(with my
experience) and it's a juggling between two sides so...
3k is really 3k+3k+external_acls+dns...<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">I believe that in this
case an example of configuration from the squid
developers might be usefull.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT">Eliezer<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="PT"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span dir="RTL" lang="HE">בתאריך יום
ג׳, 25 בינו׳ 2022, 18:42, מאת</span><span dir="LTR"></span><span
dir="LTR"></span><span lang="PT"><span dir="LTR"></span><span
dir="LTR"></span> André Bolinhas </span><span
dir="RTL"></span><span dir="RTL"></span><span
dir="RTL" lang="HE"><span dir="RTL"></span><span
dir="RTL"></span></span><span dir="LTR"></span><span
dir="LTR"></span><span lang="PT"><span dir="LTR"></span><span
dir="LTR"></span><<a
href="mailto:andre.bolinhas@articatech.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">andre.bolinhas@articatech.com</a>>:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="PT">Any tip about my last
comment?<br>
<br>
-----Mensagem original-----<br>
De: André Bolinhas <<a
href="mailto:andre.bolinhas@articatech.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">andre.bolinhas@articatech.com</a>>
<br>
Enviada: 21 de janeiro de 2022 16:36<br>
Para: 'Amos Jeffries' <<a
href="mailto:squid3@treenet.co.nz" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">squid3@treenet.co.nz</a>>;
<a href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><br>
Assunto: RE: [squid-users] Tune Squid proxy to handle
90k connection<br>
<br>
Thanks Amos<br>
Yes, you are right, I will put a second box with
HaProxy in front to balance the traffic.<br>
About the sockets I can't double it because is a
physical machine, do you think disable hyperthreading
from bios will help, because we have other services
inside the box that works in multi-threading, like
unbound DNS?<br>
<br>
Just more a few questions:<br>
1º The server have 92Gb of Ram, do you think that is
needed that adding swap will help squid performance?<br>
2º Right now we are using squid 4.17 did you recommend
upgrade or downgrade to any specific version?<br>
3º We need categorization, for this we are using an
external helper to achieve it, do you recommend use
this approach with ACL or move to some kind of
ufdbguard service?<br>
<br>
Best regards<br>
-----Mensagem original-----<br>
De: squid-users <<a
href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">squid-users-bounces@lists.squid-cache.org</a>>
Em Nome De Amos Jeffries<br>
Enviada: 21 de janeiro de 2022 16:05<br>
Para: <a
href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><br>
Assunto: Re: [squid-users] Tune Squid proxy to handle
90k connection<br>
<br>
Sorry for the slow reply. Responses inline.<br>
<br>
<br>
On 14/01/22 05:44, André Bolinhas wrote:<br>
> Hi<br>
> ~80k request per second 10k users<br>
<br>
<br>
Test this, but you may need a second machine to
achieve the full 80k RPS.<br>
<br>
Latest Squid do not have any details analysis, but
older Squid-3.5 were only achieving >15k RPS under
lab conditions, more likely expect under 10k
RPS/worker on real traffic.<br>
That means (IME) this machine is quite likely to hit
its capacity somewhere under 70k RPS.<br>
<br>
<br>
> CPU info:<br>
> CPU(s) 16<br>
> Threads per code 2<br>
> Cores per socket 8<br>
<br>
With this CPU you will be able to run 7 workers. Setup
affinity of one core per worker (the "kidN" processes
of Squid). Leaving one core to the OS and additional
processing needs - this matters at peak loading.<br>
<br>
CPU "threads" tend not to be useful for Squid. Under
high loads Squid workers will consume all available
cycles on their core, not leaving any for the fancy
"thread" core sharing features to pretend there is
another core available. YMMV. One of the tests to try
when tuning is to turn off the CPU hyperthreading and
see what effect it has (if any).<br>
<br>
<br>
> Sockets 1<br>
> Inter Xeron Silver 4208 @ 2.10GHz<br>
><br>
<br>
Okay. Doable, but for best performance you want as
high GHz rating on the cores as your budget can
afford. The amount of "lag" Squid adds to traffic and
RPS performance/parallelism directly correlates with
how fast the CPU core can run cycles.<br>
<br>
<br>
<br>
HTH<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">squid-users@lists.squid-cache.org</a><br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></span></p>
</blockquote>
</div>
</div>
</div>
</blockquote>
</body>
<lt-container></lt-container>
</html>