On 4/20/05, Henrik Nordstrom <hno@xxxxxxxxxxxxxxx> wrote: > > > On Wed, 20 Apr 2005, Thien Vu wrote: > > > That's what I'm thinking also, but we have nearly 300 acls and a > > similar number of http_access rules. > > Ok. > > What kinds of acls are these? > A portion are external_acl_type for ldap lookups for user groups. The ldap queries themselves are fairly quick, around 200 milliseconds for the initial lookup but then it should hit the authentication cache from then on. The rest are url_regex which involve urls or ports (for the CONNECT) later defined in the http_access rules. So essentially we have a population of users and we want to restrict what they can access depending on what group they're in. Group membership is determined by ldap lookups. > > Our setup is like this. We have a machine proxy.company.com that runs > > both a proxy and a web server. We monitor the web server by grabbing a > > file every minute. We monitor the proxy by grabbing that same file > > through the proxy every minute. The proxy is configured to not cache > > any results (other than dns and authentication credential and other > > adminitrative data, but specifically not web pages). Over a day, the > > direct requests to the web server for the file takes an average of 20 > > milliseconds. On the other hand, the requests through the proxy > > average 888 milliseconds. > > Sounds a bit excessive difference indeed. > > Do you have a problem with CPU usage? > Never any problems with CPU usage, these are like dual p3 1.3 Ghz, so it's more than enough muscle. > Is there any difference if you for a test cuts down on the number of > http_access rules? I haven't tried this, I have gone into too much detail about how squid manages its acls, but I'm sure this could be re-arranged to be better for squid to process. The rules have been written such that the url_regex acls are in one portion and the http_access is in another portion. We can probably do something like: # Group 1 acl foo url_regex ^http://foo.com/bar/baz.html$ acl foo2 url_regex ^http://foo.com/foobar/fubar.html$ http_access allow group1 foo foo2 http_access deny group1 # Group2 ... > Any warnings in cache.log? The only significant warnings were problems connecting to the ldap server but this is on the order of like 20 messages a day, so I imagine most of the time it's hitting the authentication cache. > Any swap activity on the system? Very little swap/disk activity. I can try disabling swap though. > Are you also using a redirector helper? No redirector helpers. > What authentication method scheme is used? For the basic authentication, squid_ldap_auth. For external_acl_type, squid_ldap_group. We were having issues with too few helpers for the external_acl_type but that problem has been fixed by increasing children= to a reasonable number. Thien