On Wed, 20 Jul 2011 09:13:34 +1200, Gregory Machin wrote:
Hi.
Been a long time since I last looked at a squid proxy. After add a
proxy to the network , browsing seems to have slowed considerably. I
have build a squid proxy , this is configured into the network on via
our Sonicwall using the proxy feature. When I looked into the
configuration I did a few optimizations based on what I found on a
couple of websites. All though I opted not to tweak the OS more than
increase the ulimit as I would not expect it to be required given the
hardware. It is running out of a SSD drive.
When I run top the box is idle for the most part. there are about 100
users on this site.
So my question is what may I have configured incorrectly or missed
that would help?
Two things in general to be aware of.
* Careful with SSD. Squid is a mostly-write software, SSD work best
with mostly-read. So SSD lifetime and speed is reduced from the well
advertised specs. That said, they can still improve caching HIT speeds.
* Browsers will default to reducing their utilized connection count by
99% when working through a proxy. This can make things appear much
slower than normal given modern website tendency to require dozens or
hundreds of objects at once for a simple page load.
* ensure that no memory swapping is occurring. This will take a major
bite out of squid performance.
The hardware is :
4 Gig Ram
Intel(R) Xeon(R) CPU E3110 @ 3.00GHz (dual core)
hard disk is SSD 32 GB
The / file system is ext3
The /var system is ext4 (cache is /var/spool/squid).
The OS is Linux Ubuntu 10 LTS
the squid configuration file looks like
<snip>
http_access deny manager
http_access allow purge localhost
http_access deny purge
If you you don't actually need the "purge" ACL remove it. There is a
lot of background CPU and RAM needed to support it.
http_access deny !Safe_ports
http_access allow CONNECT
PROBLEM: global unlimited tunnelling.
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
"allow localnet" below will already allow HTTPS traffic if it is not
blocked by the SSL_Ports safety net.
If there actually are non-HTTPS ports to which you requires https://
access add them to the SSL_Ports definition as well as the Safe_Ports
one. I see you have already doen this for several, although 563 is
missing from Safe_Ports.
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
<snip>
memory_pools off
NOTE: memory optimization for squid usage patterns: DISABLED. This may
be needed in some 64-bit systems with broken memory handling. if yours
is not one of those, re-enable this.
That is it for general stuff. You will need to dig a bit deeper and
find out what specifically are the slowest things going on.
Amos
