> Hi, > > Adrian though being a newbie I know about that though not perfect :D. > > I basically have 2.5 Ghz computer with 512 MB ram. With those number > of users hunting squid, how many DSTDOMAIN ACL are considered safe. > > I know I can check the process load by adding few ACL at a time. But I > can't complain management each week to replace the CUP or memory. > > So I am here for the help. You guys must have hell lot of experience > to tell me that in rough figures. No not really a lot. dstdomain can handle a few hundred thousand rules on a modern fast server. On the 2.6GHz with just 512MB you should see no problem with a few thousand. Expect 10,000 acl entries to take less than ~3MB of RAM and 2000-cycles processing time. Particularly if you use the per-client-subnet filtering methods Adrian mentioned (below) to speed things up even further. Amos > > Regards > Rishav Upadhaya > Future System Administrator > Current Support Officer > > On 12/5/07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> Adrian Chadd wrote: >> > ACLs are evaluated short-circuit. If you have this: >> > >> > acl clientA src 1.2.3.0/24 >> > acl clientB src 1.2.4.0/24 >> > acl youtube (expensive regexp) >> > acl microsoft (expensive regexp) >> > >> > http_access deny clientA youtube >> > http_access deny clientB microsoft >> > >> > the http_access lines are evaluated in order from top to bottom, and >> stop being >> > evaluated across each http_access line if one of the ACLs fails. >> > >> > So the expensive youtube regexp ACL will only be processed by requests >> from clientA. >> > Requests from clientB won't ever hit the youtube ACL lookup. >> > >> > If you know how to craft ACLs then you can avoid almost all of the >> penalties. >> > >> > Adrian >> >> Adrian! stop encouraging the regexp-addicts. :-) >> >> We're trying to wean them off the unnecessary use of slow ACL remember? >> ;) >> >> Amos >> >
