Search squid archive

Re: Understanding maximum outgoing HTTP CONNECT requests?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/03/2023 1:42 am, divan.whelk.0u wrote:
Thank you for the prompt reply!

- Squid can be configured to receive on up to 64 ports.
   Thus dst-port on **inbound** is 2^6.
outbound =  N * 2^6 * 2^128 * 2^16 = N * 2^150
Would that be 2^6 dst-port on outbound, rather than inbound (ignoring Alt-Svc)? Or am misunderstand the theoretical limit formulae after?

Oops. No the 2^6 should be on the inbound formula, and outbound have 2^16 in that place.
Net effect is the same though one is 2^150 and the other 2^160.


Thus total theoretical limit of simultaneous connections Squid can be juggling is  N * 2^151.
So, for example a single box HTTP CONNECT proxy might be listening on one IPv4 address and one IPv6 address, which would be making the outbound connections (and opening the TCP tunnel) and only able to make outbound connections to either port 80 or 443 (2^16 for each respective port, ignoring Alt-Svc).

Whereas for incoming, listening on dst-port (3128) (2^16 incoming), with a theoretical limit of 2^32 IPv4 addresses or 2^128 IPv6 addresses (or do you use 2^128 including IPv4)?

Ah, yes. I also assumed a typical hybrid or dual stack machine where IPv4 is mapped as part of the IPv6 2^128 range.


Reality can be significantly different for any given installation, but is imposed by configuration choices and thus can be altered as needed.
Understood, thanks! I think I’ve got a good idea now, with the clarifications.

Alex

On 17 Feb 2023, at 20:18, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On 18/02/2023 12:14 am, divan.whelk.0u wrote:
Hi there!

I’m trying to understand what would the “theoretical” maximum amount of outgoing connections with squid setup as a HTTP CONNECT forward proxy would be (hardware permitting)?
As you likely know, each TCP/IP connection uses a 4-tuple identifier {src-IP, src-port, dst-IP, dst-port}.

So at face value there is a protocol imposed cap of (2^128 * 2^16 * 2^128 * 2^16) = 2^288 connections.

Being theoretical we have:
     * ignored reserved IP ranges,
     * ignored OS-specific ephemeral port reservations,
     * assumed IPv6 availability, and
     * assumed no access restrictions in Squid, network routing, nor firewall.

The factors to consider are:

  - Squid machine can be assigned multiple IP's.
     Thus src-IP on outbound and dst-IP on inbound are that N.

  - Squid can be configured to receive on up to 64 ports.
    Thus dst-port on inbound is 2^6.

  - DNS can provide any number of IPs for any given server name.
     Thus outbound dst-IP can be any 2^128 value.

  - modern websites use use Alt-Svc to spread across ports.
     Thus outbound dst-port can be any 2^16 value.

So for theoretical limit the math is:

  inbound =    2^128 * 2^16 * N * 2^16  = N * 2^160

  outbound =  N * 2^6 * 2^128 * 2^16 = N * 2^150

Inbound and outbound are normally independent, but CONNECT is a special case where they are pinned 1:1.

Thus total theoretical limit of simultaneous connections Squid can be juggling is  N * 2^151.

Reality can be significantly different for any given installation, but is imposed by configuration choices and thus can be altered as needed.


 From the  About bottlenecks (Max number of connections, etc.) thread, I saw mention of the following:

* The limit on number of connections any Squid can have attached is only limited by your configured FD limits and available server RAM. Squid uses ~64 KB per network socket for traffic state - which equates to around 2 GB of RAM just for I/O buffers at 20,000 concurrent client connections.
I assume the same would not apply on outgoing connections, and that there would be a limit of 65,536 connections to a single IP, port pair? For example, if we had 1 million users making requests via HTTP CONNECT, only 65K of them would be able to access the same website at any one time?
IIRC that quoted thread was discussing a Squid with more normal multiple-destination case hitting FD limits.  The 64K port limitation you refer to is a special case contingent on the "single destination with single IP:port" criteria - which itself is rarely true for a popular website. It assumes configuration restriction imposing that criteria somehow.


Cheers
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux