On 17.05.2012 04:27, Ali Esf wrote:
hello
we are using squid just for proxy not for catching.
we have 4 linux machines (vps) with the following specification and
need to add 6 other machines to be 10 machines use squid.
specification for each machine:
ram = 1 GB
port = 1 Gbps
cpu = Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2 cores
os = CentOS Linux 5.8
hard disk space = 30 GB
----------------------------------------
we have configured for https proxy on port 9090 in this 4 linux
machines
No you configured squid as an plain-HTTP proxy on port 9090.
the
problem is that when the number of users raise the speed of proxy
comes
down and sometimes it does not connect.and the speed of loading pages
is too slow.
Normal to see speed decrease as load rises. Do you have numbers for
what you consider "slow", "fast" and "more"?
we compared the squid with the ccproxy on microsoft
windows and understood that the ccproxy can support more users than
squid in the same specification machine.
Really? Squid can support millions of "users". All simultaneously not
doing anything.
NP: Only requests-per-second and concurrent-connection-count metrics
measure proxy capacity properly.
we think we
have some problem in configuring squid.
we want to help us to improve the speed of the squid.
here is the configuration of the squid.
if you need vps user pass for monitoring and more information please
say to email the user pass and ip of the vps.
we installed the squid with the following commands
./configure --prefix=/usr/local/squid
Run "./configure --help" and take note of the "--disable" options
available. If any of them are for features you don't want to use, you
can speed up Squid a little by adding those disable options to remove
the features code.
make all
make install
the squid version is squid-3.1.19
3.1 series contains IPv6 support. With two sequential DNS lookups per
domain the DNS handling speed can impact traffic through 3.1 in a major
way.
------------------------------------------------------------------
cache deny all
#
# Recommended minimum configuration:
#
auth_param
basic program /usr/local/squid/libexec/squid_db_auth --user
squid_user
--password c.0.m.p.u.t.e.r==(68)==)( --plaintext --persist
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP
networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
Reducing the size of the ACL reduces the amount of work done testing
it. Follow the advice listed above and remove the *possible* LAN
networks which you are not using.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl user_pass_auth proxy_auth REQUIRED
# replace 10.0.0.1 with your webserver
IP
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
NOTE: You dropped the CONNECT safety rule.
http_access allow localnet
This allows all LAN users to bypass proxy authentication. Did you want
that?
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP
networks
# from where browsing should be allowed
http_access allow localhost
http_access allow user_pass_auth
http_access allow
all
"http_access allow all" permits anyone on the WAN who fails
authentication to use the proxy anyway.
Amos
