Search squid archive

Re: Squid 3-5 CPU optimization and best practise .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

 

Hello Amos ,

 

Config file is based on IP auth and user/pass auth .

But I want to minimize the CPU hit of my config file as much as possible .

 

Version : Squid 5.3 

###############################################################################################


squid.conf

 

acl RDP-Domain-controller src 77.90.230.0/24 77.90.228.0/24 77.90.225.0/24 77.90.210.0/24 77.90.193.0/24 77.90.145.0/24 77.90.112.0/24 88.21.95.0/24 88.21.94.0/24 88.21.76.0/24 88.21.75.0/24 88.21.72.0/24 88.21.36.0/24 88.21.34.0/24 88.21.199.0/24 88.21.193.0/24 88.21.192.0/24 88.21.137.0/24 88.21.135.0/24 88.21.132.0/24 88.21.131.0/24 88.21.129.0/24 88.21.128.0/24 88.21.126.0/24 88.21.121.0/24 88.21.120.0/24 88.108.9.0/24 88.108.45.0/24 

http_access allow RDP-Domain-controller

 

acl googleaccess dstdomain .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz 

 

 

acl FTP proto FTP

http_access deny FTP

http_access deny manager

#################################

acl URN proto URN

http_access deny URN

###########################

#############################################################

visible_hostname squid

###################################

# Lockdown Procedures

auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user

acl ncsa_users proxy_auth REQUIRED

auth_param basic children 50

auth_param basic realm login squid Login

http_access deny ncsa_users googleaccess 

http_access allow ncsa_users

auth_param basic casesensitive on

#########################################

cache_effective_user squid

cache_effective_group squid

##############

server_persistent_connections off

client_persistent_connections off

cache deny all

###############################################

http_port  66.4.223.238:45000 name=45000

http_port  66.4.223.238:45001 name=45001

http_port  66.4.223.238:45002 name=45002

http_port  66.4.223.238:45003 name=45003

#########

acl user45000 myportname 45000

acl user45001 myportname 45001

acl user45002 myportname 45002

acl user45003 myportname 45003

#############

tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ba16:10cc:3d9f:6d8f user45000

tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ca27:f465:986e:6dfc user45001

tcp_outgoing_address 2a0f:3fc6:f1f1:459e:27de:fec7:49fc:3113 user45002

tcp_outgoing_address 2a0f:3fc6:f1f1:459e:698a:d044:d39e:ffe7 user45003

tcp_outgoing_address 2a0f:3fc6:f1f1:459e:bc96:9e75:6653:76ac user45004

 

 

 

 

 

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of Amos Jeffries <squid3@xxxxxxxxxxxxx>
Date: Friday, April 1, 2022 at 1:51 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Squid 3-5 CPU optimization and best practise .

FYI; CPU in Squid is primarily consumed by two things:


1) parsing and processing HTTP message headers.

The only thing you can do about this is detect and reject unwanted
traffic as early as possible.

Your OS firewall is obviously the early line of defense. Preventing
unwanted network ranges from reaching Squid listening ports saves Squid
from spending CPU cycles looking up details about those unwanted clients.

Then for clients who are potentially valid the default http_access rules
reject dangerous traffic quickly and efficiently. Make sure any custom
http_access rules are listed *after* those ones. Then see (2).



2) processing access controls (ACL checks).

To optimize this needs attention to what order ACLs are tested in versus
how complex they are to process.

How many CPU cycles are consumed managing any resources they or other
processes they trigger is also important.

If you want a free optimization review please post your full squid.conf
(just without the documentation comments and empty lines). Then we can
point out any performance tricks you may not yet be using.




Beyond those two you are getting into "advanced admin" levels of
performance optimization. Where YMMV, Alex has mentioned. Every network
is different so none of us can say a specific thing to do that will be
better for you.

HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux