Search squid archive

Re: Network appliance Sizing for Squid transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/11/2022 5:37 am, Lucas Vicente Pereira wrote:
Dear,


I have a project and would like to use Squid for WebProxy with Full SSL inspection, external acl to control urls access.


Firstly, be aware that TLS when used properly *cannot* be decrypted transparently. So do not expect 100% inspection rates. Even though typical web HTTPS can still be inspected, service security levels vary a lot.


Environment information:

~2500 users
3 x Internet links 1 Gbps each
Average HTTP requests per minute since start: 65956.1
ClamAv integration
Snort Integration
Iptables REDIRECT for squid

Please, can you please help me with appliance sizing for this environment?


Disclaimer:  I do not have any numbers for Squid when ClamAv is added. Someone else here may be able to supply or correct my below numbers from their actual experience when that tool is used.

AFAIK Snort and iptables are so much more efficient than Squid that they are essentially not relevant.


Your 1.1k RPS is well within Squid's capabilities for HTTP (15k-20k RPS limit), but the "SSL inspection" will add much overhead so YMMV.

Squid places heavy loads on CPU and I/O systems. The key things to look for when you are pushing performance boundaries are (in order of impact/gains IMO):

 * as much RAM as you can afford. Within reason, ~128GB is probably enough for most Squid.   - I/O is a major point of performance loss. Network I/O is implicitly minimized by Squid defaults.   - Now that RAM comes by the GB I typically recommend a memory cache over disk cache.

 * prefer CPU with higher GHz rating than more cores,
  - the GHz translates directly into faster transaction times + more clients, cores translates only to parallel capacity/clients.

 * real/physical cores better than hyper-threading,
   - Squid workers are single-threaded and can push their CPU hard. In this case hyper-threading just slows the CPU down.

 * bare-metal better than container;  container better than VM.
  - under load Squid will just keep squeezing the machine until it has nothing left to give - then traffic speed takes a nosedive at the worst possible time to do so.

The rest is down to configuration and making the whole system as simple as possible at every level.


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux