[squid-users] Slow Squid
Amos Jeffries
squid3 at treenet.co.nz
Wed Dec 9 01:56:23 UTC 2015
On 9/12/2015 1:50 p.m., Patrick Flaherty wrote:
> Hi,
>
>
>
> My Squid Server is much slower to go through than direct access to the
> internet. I would expect it to be slower but not dramatically slower. Any
> tips to speed it up? It's only used to access 8 whitelisted domains. I am
> not using the disk based cache as it's only 8 sites total we hit. See my
> squid config below and please offer any suggestions.
>
What Squid version are you using?
And what are the values for "slower" ?
>
> # acl and http_access to ("whitelist.txt")
>
> acl whitelist dstdomain "c:/squid/etc/squid/whitelist.txt"
[ I'm not sure if this following applies to the Cygwin builds. It may
not, but since the FD limit is actually coming from the Windows kernel
itself it might anyway. ]
On Windows the proxy faces an absolute OS limit of 2048 FD that are
available per-process group.
Since each transaction/request uses 2-3 FD that means Squid on Windows
can service no more than ~1,000 RPS regardless of CPU capacity. Keeping
in mind modern browsers open 6 connections to a proxy, that means
160-200 concurrent visitors.
By comparison non-Windows proxies can reach ~20,000 RPS with up to 10K
concurrent visitors. So "slow" is par for the course on Windows (if you
have a lot of users).
>
> http_access allow whitelist
>
At this point, anybody from anywhere (the whole Internet) who can access
the proxy is allowed to fetch anythign from the whitelisted
servers/domains through it. No other limits on those servers.
>
>
> # network source of proxy traffic
>
> acl localnet src all
>
So you are defining the entire Internet as being your LAN.
All the security controls, both those configured in your squid.conf
*and* any default built-in Squid settings that restrict access to the
LAN will now be wide open to any external visitor.
>
> # acl directives for ports and protocols
>
> acl http proto http
>
> acl https proto https
>
> acl port_80 port 80
>
> acl sslports port 443
>
> acl CONNECT method CONNECT
>
>
>
> # localhost proxy access
>
> acl localhost src 127.0.0.1/32
>
> http_access allow localhost
>
You now have unlimited access to any of the whitelisted domains (from
earlier) *or* to anywhere at all when coming from localhost.
Note that this is *extending* the built-in definition of localhost ACL
(if you have a current Squid) which already includes the entire 127/8
and ::1 network ranges.
>
> # rules allowing proxy access
>
> http_access allow http port_80 whitelist localnet
>
> http_access allow https sslports whitelist localnet
>
These ACLs do nothing but waste CPU. All requests for whitelist domains
are permitted earlier without the protocol and port restrictions.
>
>
> # dns servers (Change dns_nameservers to client dns servers for consistency
> and better performance)
>
> dns_nameservers 172.16.50.1 172.16.50.9
>
>
>
> # cache web pages directory
>
> #cache_dir ufs C:/Squid/var/cache/squid 100 16 256
>
> cache_mem 64 MB
>
There are two implications from this 64MB of RAM cache.
Firstly, memory cache is the primary source of traffic acceleration for
Squid. Having only a small amount limits how much acceleration Squid can
do when the proxy is under load.
If the machine the proxy is running on is an embeded device or minimal
VM so limited that it can only spare 64MB of RAM for caching. Then it is
likely that the available CPU is also constrained and that prpcessor
limit may be the direct cause of the proxy being slow.
>
>
> # log file roll weekly
>
> logfile_rotate 7
>
NP: most systems default to daily for this AFAIK. If the logs get very
big then the filesystem can cause slowdown appending to them. I'm not
sure if that is relevant for your case, but worth checking.
>
> # access log rules
>
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
>
Do not redefine a built-in log format. Either use the built-in
definition, or make your custom one have a different name.
Amos
More information about the squid-users
mailing list