Search squid archive

Re: Slow Internet with squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/20/2011 9:12 PM, Amos Jeffries wrote:
On Wed, 20 Jul 2011 11:12:04 -0400, Wilson Hernandez wrote:
Hello.

I am puzzled to see how my bandwidth is used when running squid. I have
a total of 25M/3M of bandwidth, lately I've noticed with iptraf that my
external interface traffic/bandwidth is almost maxed out at 24.8M and my
internal interface (squid) is only at 2.9M as a result most clients have
been calling saying "their internet is slow".

I'm wondering why that big of a difference on the interfaces' traffic.

This is what cachemgr shows:

Squid Object Cache: Version 3.1.14

Start Time:    Fri, 15 Jul 2011 08:01:48 GMT
Current Time:    Wed, 20 Jul 2011 14:39:02 GMT


Connection information for squid:
Number of clients accessing cache:    113
Number of HTTP requests received:    5198204
Number of ICP messages received:    0
Number of ICP messages sent:    0
Number of queued ICP replies:    0
Number of HTCP messages received:    0
Number of HTCP messages sent:    0
Request failure ratio:     0.00
Average HTTP requests per minute since start:    684.2
Average ICP messages per minute since start:    0.0
Select loop called: 479758718 times, 0.950 ms avg
Cache information for squid:
Hits as % of all requests:    5min: 23.2%, 60min: 19.4%
Hits as % of bytes sent:    5min: -219.3%, 60min: -314.7%
Memory hits as % of hit requests:    5min: 13.2%, 60min: 9.5%
Disk hits as % of hit requests:    5min: 64.6%, 60min: 62.5%
Storage Swap size:    66028580 KB
Storage Swap capacity:    64.5% used, 35.5% free
Storage Mem size:    1042556 KB
Storage Mem capacity:    100.0% used,  0.0% free
Mean Object Size:    23.52 KB
Requests given to unlinkd:    0
Median Service Times (seconds)  5 min    60 min:
HTTP Requests (All):   0.12106  0.02069
Cache Misses:          0.24524  0.30459
Cache Hits:            0.05046  0.02899
Near Hits:             0.17711  0.22004
Not-Modified Replies:  0.00307  0.00091
DNS Lookups:           0.31806  0.17048

DNS is very slow as well. Probably due to remote queries over this full link.


Please help me understand why this is happening and if there is a
solution to make squid perform better.

Squid "optimizes web delivery" as the slogan goes. So when the server side is acting very inefficiently it can consume more than the client side. Could be any of these or a few other things I'm not aware of:

1) client requests an object. Squid has it cached, but server is requiring 'must-revalidate'. While revalidating the server forces an entire new object back at squid, along with a timestamp stating it has not changed. Squid only sends the small no-change reply to the client.

2a) client requests a small range of an object. Squid passes this on. Server replies with again, forcing an entire new object back at squid. Squid only sends the small range asked for to the client.

2b) client requests a small range of an object. Squid passes this on but requests the full object (refresh_offset_limit). Server replies with the whole object. Squid stores it and only sends the small range asked for to the client.

3) client requests info about an object (HEAD). Squid relays this request on. Server replies, forcing an entire new object back at squid. Squid only sends the small header asked for to the client.

4) client requests an object, then abandons it before receiving the reply. Squid continues to wait and receive it, in hopes that it can be stored. If not storable it may be discarded and the cycle repeat. Or it could be stored but never again requested. This behaviour is modified by the quick_abort_* directives.


Or it could be you configured an open proxy. Configuration problems can allow external access to external sites. When discovered attackers can use this and consume all your external bandwidth. Usually its caused by mistakenly removing or bypassing the controls on CONNECT tunnels. Though it can also happen on other requests.

Amos
Amos.

Thanks for replying. Now, you have left me confused and in doubt. I don't know if my actual configuration is ok or not. I will post it here so, you can take a look and let me know where or what I'm doing wrong. Thanks again.

squid.conf:
# Port Squid listens on
http_port 172.16.0.1:3128 intercept disable-pmtu-discovery=off

error_default_language es-do

# Access-lists (ACLs) will permit or deny hosts to access the proxy
acl lan-access src 172.16.0.0/16
acl localhost src 127.0.0.1
acl localnet src 172.16.0.0/16
acl proxy src 172.16.0.1
acl clientes_registrados src "/etc/msd/ipAllowed"

acl adstoblock dstdomain "/etc/squid/blockAds"

acl CONNECT method CONNECT


#---- Do not cache these

#acl special_domains dstdomain .facebook.com .fbcdn.net .verisign.com .mail.yahoo.com
#cache deny special_domains

#-----------------------

http_access allow proxy
http_access allow localhost

#---- Block some sites

acl blockanalysis01     dstdomain .scorecardresearch.com clkads.com
acl blockads01 dstdomain .rad.msn.com ads1.msn.com ads2.msn.com ads3.msn.com ads4.msn.com acl blockads02 dstdomain .adserver.yahoo.com pagead2.googlesyndication.com ad.yieldmanager.com acl blockads03 dstdomain .doubleclick.net .fastclick.net .googleadservices.com
acl blockads04        dstdomain .ero-advertising.com .adsomega.com
acl blockads05 dstdomain .adyieldmanager.com .yieldmanager.com .adyieldmanager.net .yieldmanager.net acl blockads06 dstdomain .e-planning.net .super-publicidad.com .super-publicidad.net acl blockads07 dstdomain .adbrite.com .contextweb.com .adbasket.net .clicktale.net acl blockads08 dstdomain .adserver.com .adv-adserver.com .zerobypass.info .zerobypass.com acl blockads09 dstdomain ads.ak.facebook.com .pubmatic.com .baynote.net .publicbt.com

http_access deny blockanalysis01
http_access deny blockads01
http_access deny blockads02
http_access deny blockads03
http_access deny blockads04
http_access deny blockads05
http_access deny blockads06
http_access deny blockads07
http_access deny blockads08
http_access deny blockads09

http_access deny adstoblock

acl bank dstdomain .popularenlinea.com .bpd.com.do .google.com .google.com.do
acl ourPublicServer    dst 190.80.159.7

http_access allow bank
http_access allow ourPublicServer


#acl block url_regex "/etc/squid/sitesblocked"

#http_access deny block

#---- End block sites


# Access rule
#http_access allow clientes_registrados

acl manager proto cache_object
# replace 10.0.0.1 with your webserver IP
acl webserver src 172.16.0.1
http_access allow manager webserver
http_access deny manager

########################## Delay pools ####################


# Replace the network below with your own
# Define 1 delay pool, class 2
#delay_pools 1
#delay_class 1 3
# Manage traffic from our network with the delay pool
#delay_access 1 allow clientes_registrados
#delay_access 1 deny all
# Values are in bytes, to get kbps multiply by 8
#delay_parameters 1 1250000/1250000 1000000/1000000 64000/64000

############################################################


# Block Malware Section
# File which contains the list
# acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
# Access Denied
# http_access deny malware_block_list
# Redirect message - (You can make your own)
# deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list


# Also videos are LARGE; make sure you aren't killing them as 'too big to save' # - squid defaults to 4MB, which is too small for videos and even some sound files
maximum_object_size 32500 KB

maximum_object_size_in_memory  15625 KB

minimum_object_size 0 KB

cache_mem 1024 MB

#access_log /var2/squid/access.log
access_log none
cache_log /var2/squid/cache.log
cache_store_log none

#cache_dir ufs /var/log/squid/cache 5000 16 256
#cache_dir ufs /var/log/squid/cache 40000 255 255
#cache_dir aufs /var/log/squid/cache 140000 64 255
cache_dir aufs /var2/squid/cache 100000 64 255

#cache_dir aufs /squidtest 5000 16 16

htcp_port 0
icp_port 0
ignore_unknown_nameservers on

cache_swap_low 97
cache_swap_high 99

max_open_disk_fds 0

# httpd_suppress_version_string


#hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#cache deny QUERY

#acl GOOGLEVIDEO urlpath_regex /videoplayback\?id= /get_video\?origin=
#cache deny GOOGLEVIDEO

#acl YOUTUBE urlpath_regex /get_video\?video_id=
#cache deny YOUTUBE

#acl CACHE_HOST_IP dst 172.16.0.1
#cache deny CACHE_HOST_IP

memory_replacement_policy heap LRU

###### ecap gzip section ######

#ecap_enable on

#ecap_service gzip_service respmod_precache 0 ecap://www.vigos.com/ecap_gzip
#loadable_modules /usr/local/lib/ecap_adapter_gzip.so
#acl GZIP_HTTP_STATUS http_status 200
#adaptation_access gzip_service allow GZIP_HTTP_STATUS

################################

###### Newer VideoCache ######
# --BEGIN-- videocache config for squid
#url_rewrite_program /usr/bin/python /usr/share/videocache/videocache.py
#url_rewrite_program /usr/bin/python2.5 /usr/local/videocache/videocache.py
#url_rewrite_program /usr/local/adzap/scripts/zapchain "/usr/bin/python /usr/share/videocache/videocache.py" "/usr/bin/php /usr/local/thundercache/loader.php" url_rewrite_program /usr/local/bin/zapchain "/usr/bin/python /usr/share/videocache/videocache.py" "/usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf"

#url_rewrite_program /usr/local/bin/wrapzap

url_rewrite_children 10

acl videocache_allow_url url_regex -i \.youtube\.com\/get_video\?
acl videocache_allow_url url_regex -i \.youtube\.com\/videoplayback \.youtube\.com\/videoplay \.youtube\.com\/get_video\? acl videocache_allow_url url_regex -i \.youtube\.[a-z][a-z]\/videoplayback \.youtube\.[a-z][a-z]\/videoplay \.youtube\.[a-z][a-z]\/get_video\? acl videocache_allow_url url_regex -i \.googlevideo\.com\/videoplayback \.googlevideo\.com\/videoplay \.googlevideo\.com\/get_video\? acl videocache_allow_url url_regex -i \.google\.com\/videoplayback \.google\.com\/videoplay \.google\.com\/get_video\? acl videocache_allow_url url_regex -i \.google\.[a-z][a-z]\/videoplayback \.google\.[a-z][a-z]\/videoplay \.google\.[a-z][a-z]\/get_video\? acl videocache_allow_url url_regex -i (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/videoplayback\? acl videocache_allow_url url_regex -i (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/videoplay\? acl videocache_allow_url url_regex -i (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/get_video\? acl videocache_allow_url url_regex -i proxy[a-z0-9\-][a-z0-9][a-z0-9][a-z0-9]?\.dailymotion\.com\/
acl videocache_allow_url url_regex -i vid\.akm\.dailymotion\.com\/
acl videocache_allow_url url_regex -i [a-z0-9][0-9a-z][0-9a-z]?[0-9a-z]?[0-9a-z]?\.xtube\.com\/(.*)flv
acl videocache_allow_url url_regex -i bitcast\.vimeo\.com\/vimeo\/videos\/
acl videocache_allow_url url_regex -i va\.wrzuta\.pl\/wa[0-9][0-9][0-9][0-9]?
acl videocache_allow_url url_regex -i \.files\.youporn\.com\/(.*)\/flv\/
acl videocache_allow_url url_regex -i \.msn\.com\.edgesuite\.net\/(.*)\.flv
acl videocache_allow_url url_regex -i media[a-z0-9]?[a-z0-9]?[a-z0-9]?\.tube8\.com\/ mobile[a-z0-9]?[a-z0-9]?[a-z0-9]?\.tube8\.com\/
acl videocache_allow_url url_regex -i \.mais\.uol\.com\.br\/(.*)\.flv
acl videocache_allow_url url_regex -i \.video[a-z0-9]?[a-z0-9]?\.blip\.tv\/(.*)\.(flv|avi|mov|mp3|m4v|mp4|wmv|rm|ram)
acl videocache_allow_url url_regex -i video\.break\.com\/(.*)\.(flv|mp4)
acl videocache_allow_dom dstdomain .mccont.com .metacafe.com .redtube.com .cdn.dailymotion.com
url_rewrite_access allow videocache_allow_url
url_rewrite_access allow videocache_allow_dom
url_rewrite_access allow all
redirector_bypass on

# --END-- videocache config for squid

#---------------------------------
# --- Windows Update


acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain .go.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com/windowsupdate/v7/default.aspx
acl windowsupdate dstdomain .download.microsoft.com
acl windowsupdate dstdomain activex.microsoft.com
acl windowsupdate dstdomain codecs.microsoft.com
acl windowsupdate dstdomain urs.microsoft.com

acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

# --- Windows update ends -----------------------------

# ------ Test AntiVirus Caching --------------
acl avast_allow_url url_regex -i \.vpu
acl avast_allow_url url_regex -i \.vpx

url_rewrite_access allow avast_allow_url

acl avast    dstdomain avast.com
http_access allow CONNECT localnet
http_access allow avast localnet


#---------------------------------

#url_rewrite_children 10
#acl store_rewrite_list url_regex -i "/etc/thundercache/thunder.lst"
#url_rewrite_access allow store_rewrite_list
#url_rewrite_access deny all
#url_rewrite_program /usr/local/thundercache/loader.php

#---------------------------------

#===================================================================#
#Redirecionamento Thunder 3.x - REGEx
#===================================================================#
#acl thunder_lst url_regex -i "/etc/thundercache/thunder.lst"
#cache deny thunder_lst
#cache_peer 172.16.0.1 parent 8000 0 proxy-only no-digest
#dead_peer_timeout 2 seconds
#cache_peer_access 172.16.0.1 allow thunder_lst
#cache_peer_access 172.16.0.1 deny all
#==================================================================#

#  TAG: store_avg_object_size    (kbytes)
#    Average object size, used to estimate number of objects your
#    cache can hold.  The default is 13 KB.
#
#Default:
store_avg_object_size 64 KB

#  TAG: half_closed_clients
#    Some clients may shutdown the sending side of their TCP
#    connections, while leaving their receiving sides open.    Sometimes,
#    Squid can not tell the difference between a half-closed and a
#    fully-closed TCP connection.  By default, half-closed client
#    connections are kept open until a read(2) or write(2) on the
#    socket returns an error.  Change this option to 'off' and Squid
#    will immediately close client connections when read(2) returns
#    "no more data to read."
#
#Default:
half_closed_clients off

#Default:
store_dir_select_algorithm least-load

#extension_methods SEARCH NICK

range_offset_limit 0 KB

quick_abort_min 0 KB

#quick_abort_pct 95

range_offset_limit -1

#negative_ttl 1 minutes

connect_timeout 60 seconds

dns_nameservers 172.16.0.2 172.16.0.1

logfile_rotate 5

offline_mode off

balance_on_multiple_ip on

refresh_pattern ^ftp:            1440    20%    10080
refresh_pattern ^gopher:        1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?)    0    0%    0
refresh_pattern .            0    20%    4320


#Suggested default:
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 525600
refresh_pattern -i zip$ 0 50% 525600
refresh_pattern -i \.flv$ 10080 90% 525600 ignore-no-cache override-expire ignore-private refresh_pattern -i \.swf$ 10080 90% 525600 ignore-no-cache override-expire ignore-private


read_ahead_gap 32 KB

visible_hostname Optimum-Wireless-Services
cache_mgr optimumwireless@xxxxxxxxxxx

#  TAG: store_dir_select_algorithm
#       Set this to 'round-robin' as an alternative.
#
#Default:
# store_dir_select_algorithm least-load
store_dir_select_algorithm round-robin



# PERSISTENT CONNECTION HANDLING
# -----------------------------------------------------------------------------
#
# Also see "pconn_timeout" in the TIMEOUTS section

#  TAG: client_persistent_connections
#  TAG: server_persistent_connections
#    Persistent connection support for clients and servers.  By
#    default, Squid uses persistent connections (when allowed)
#    with its clients and servers.  You can use these options to
#    disable persistent connections with clients and/or servers.
#
#Default:
client_persistent_connections on
server_persistent_connections on

#  TAG: persistent_connection_after_error
#    With this directive the use of persistent connections after
#    HTTP errors can be disabled. Useful if you have clients
#    who fail to handle errors on persistent connections proper.
#
#Default:
persistent_connection_after_error off

#  TAG: detect_broken_pconn
#    Some servers have been found to incorrectly signal the use
#    of HTTP/1.0 persistent connections even on replies not
#    compatible, causing significant delays. This server problem
#    has mostly been seen on redirects.
#
#    By enabling this directive Squid attempts to detect such
#    broken replies and automatically assume the reply is finished
#    after 10 seconds timeout.
#
#Default:
detect_broken_pconn off

#  TAG: memory_pools    on|off
#    If set, Squid will keep pools of allocated (but unused) memory
#    available for future use.  If memory is a premium on your
#    system and you believe your malloc library outperforms Squid
#    routines, disable this.
#
#Default:
memory_pools on

#  TAG: memory_pools_limit    (bytes)
#    Used only with memory_pools on:
#    memory_pools_limit 50 MB
#
#    If set to a non-zero value, Squid will keep at most the specified
#    limit of allocated (but unused) memory in memory pools. All free()
#    requests that exceed this limit will be handled by your malloc
#    library. Squid does not pre-allocate any memory, just safe-keeps
#    objects that otherwise would be free()d. Thus, it is safe to set
#    memory_pools_limit to a reasonably high value even if your
#    configuration will use less memory.
#
#    If set to zero, Squid will keep all memory it can. That is, there
#    will be no limit on the total amount of memory used for safe-keeping.
#
#    To disable memory allocation optimization, do not set
#    memory_pools_limit to 0. Set memory_pools to "off" instead.
#
#    An overhead for maintaining memory pools is not taken into account
#    when the limit is checked. This overhead is close to four bytes per
#    object kept. However, pools may actually _save_ memory because of
#    reduced memory thrashing in your malloc library.
#
#Default:
memory_pools_limit 64 MB

#  TAG: refresh_all_ims    on|off
#    When you enable this option, squid will always check
#    the origin server for an update when a client sends an
#    If-Modified-Since request.  Many browsers use IMS
#    requests when the user requests a reload, and this
#    ensures those clients receive the latest version.
#
#    By default (off), squid may return a Not Modified response
#    based on the age of the cached version.
#
#Default:
refresh_all_ims off

#  TAG: reload_into_ims    on|off
#    When you enable this option, client no-cache or ``reload''
#    requests will be changed to If-Modified-Since requests.
#    Doing this VIOLATES the HTTP standard.  Enabling this
#    feature could make you liable for problems which it
#    causes.
#
#    see also refresh_pattern for a more selective approach.
#
#Default:
reload_into_ims off

#  TAG: retry_on_error
#    If set to on Squid will automatically retry requests when
#    receiving an error response. This is mainly useful if you
#    are in a complex cache hierarchy to work around access
#    control errors.
#
#Default:
retry_on_error on

#  TAG: coredump_dir
#    By default Squid leaves core files in the directory from where
#    it was started. If you set 'coredump_dir' to a directory
#    that exists, Squid will chdir() to that directory at startup
#    and coredump files will be left there.
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir none

#  TAG: pipeline_prefetch
#    To boost the performance of pipelined requests to closer
#    match that of a non-proxied environment Squid can try to fetch
#    up to two requests in parallel from a pipeline.
#
#    Defaults to off for bandwidth management and access logging
#    reasons.
#
#Default:
pipeline_prefetch on

http_access allow clientes_registrados

shutdown_lifetime 45 seconds

http_access deny all



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux