[squid-users] Tune Squid proxy to handle 90k connection

Thu May 16 19:53:18 UTC 2024

On 17/05/24 02:23, Bolinhas André wrote:
> Hi Alex
> Has I explain, by default I set those directives to off to avoid high 
> cpu consumption.

Ah, actually with NTLM auth you are using *more* CPU per transaction 
with those turned off.

The thing is that auth takes a relatively long time to happen, so the 
transactions are slower. Hiding the fact that they are, in total, using 
more CPU and TCP networking resources.

> My doubt is enabling persistent connection will help squid to process 
> the request more efficiently and gain more performance or not.
> 

With persistent connections disabled, every client request must:

  1) wait for a TCP socket to become free for use
  2) perform a full SYN / SYN+ACK exchange to open it for use
  3) perform a NTLM challenge-response over HTTP
  4) wait for a second TCP socket to become free for use
  5) perform a full SYN / SYN+ACK exchange to open it for use
  6) perform the actual HTTP NTLM authenticated transaction.

Then
  7) locate a server that can be used
  8) wait for a TCP socket to become free for use
  9) perform a full SYN / SYN+ACK exchange to open it for use
  10) send the request on to the found server

That is a LOT of time, CPU, and networking.

With persistent connections enabled, only the first request looks like 
above. The second, third etc look like below:

  11) perform the HTTP NTLM authenticated transaction.

Then
  12) locate a server that can be used
  13) send the request on to the found server

  14) perform the HTTP NTLM authenticated transaction.

Then
  15) locate a server that can be used
  16) send the request on to the found server

That is MUCH better for performance.

HTH
Amos