Search squid archive

Re: REported 3 months of slowness

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/09/11 05:21, The Doctor wrote:
Get customer complains about slowness in squid.

I did update yesterday but still slow performance is being reported.

Remember, users will always complain about slowness, what really matters are the actual measurable numbers.

That said there are a few things in your config that can be improved.


Config file.

##acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
##acl manager proto cache_object
acl domain src 204.209.81.0/24
acl domain2 src 208.118.93.0/24
acl domain3 src 208.118.94.0/24
acl SSL_ports port 443 563 10000 20000

NP: port 563 exists here but is blocked by the Safe_ports. Consider whether you need it and remove entirely or add to Safe_ports.

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 22          # ssh
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 110         # pop3
acl Safe_ports port 119         # nntp
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 10000               # multiling http
acl Safe_ports port 20000               # multiling http

NP: the port range 1025-65535 already accepts 10000 and 20000. They can be removed from here.

acl CONNECT method CONNECT
http_access allow manager localhost

Problem #1.

The block starting here (point A) ...
http_access allow localnet
http_access allow domain
http_access allow domain2
http_access allow domain3

... to here. Are your local forward proxy configuration. Which allows unlimited access from your LAN *or* to a bunch of external networks.

This is because the block from here...

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

... to here are the security measure to prevent LAN clients and others abusing your proxy as an open relay (read people allowed to suck out the proxy resources you need for speed on acceptible traffic). These need to be *above* the local forward proxy config.

http://wiki.squid-cache.org/SquidFaq/OrderIsImportant


http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?

You can safely drop hierarchy_stoplist.

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

http_port 80 accel defaultsite=www.nk.ca
cache_peer 204.209.81.1 parent 80 0 no-query originserver name=myAccel
acl our_sites dstdomain www.nk.ca
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

see
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator#Squid_Configuration_File

particularly notice the first line of text about how to configure accelerators.

ie, move this to the *top* of your config file (or at least to above the other http_access lines), and your external visitors will not have to wait for any DNS lookups.


coredump_dir /usr/local/squid3/var/cache

Is there any reason for this slowness?

* Reverse-proxy/Accelerator config being disabled by your forward-proxy config deny rules.

* Bypassing of security rules preventing abuse by clients.

* DNS lookups required by your access controls.



Fix the things I pointed at above. Then re-check what response times get logged.


Extra thing to optimize after the above:

1) You may be able to entirely drop the domain, domain2, domain3 ACLs.
If not, consider changing them to dstdomain to avoid DNS lookups and possibly add multiple cache_peer reverse-proxy blocks of config.

2) persistent connections are your friends. Particularly server persistent connections in reverse proxy setups. This can drop TCP wait times a lot in the more recent Squid release (less so in the older ones, but still better than no savings at all).

3) browsers put some fairly big limits on number of connections per host. Domains often use the trick of spreading their content over multiple FQDN to get around these. But the browser considers everything through a proxy as one host. These limits can be bumped up to improve overall page load times. More details at http://www.stevesouders.com/blog/2008/03/20/roundup-on-parallel-connections/


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux