[squid-users] slow connects when using cache_peer_access and acls

From: <Markus.Rietzler@dont-contact.us>
Date: Thu, 1 Aug 2002 15:32:29 +0200

hi,

we have some performance probs with our squids. after first thinking of
hardware/network/kernel probs it proved that the problems we have come
from our squid.conf.

here is a short description of our proxy configuration.

there is a "so-called" user-proxy. this is the proxy all the clients
in a co-location are connection to. we have defined several acls that
- provide rules like
  - who is allowed to access the internet,
  - who is allowed to download files (exe, zip, tgz, mp3) from the internet
  - there are also so-called "tunneled" internet sites that are open for
    all users even if they don't have genaral internet access rights
- provide rules like
  - only local clients, and our central proxy are allowed to access local
    webservers

to check access rights we use ip-adresses of clients and msnt-auth module to
use nt-userid and password to authenticate the user.

all those acls are given in regular-expression-url-lists (in whole there are
813
entries spread over 10 individual list files).

we also have the need to distinguish requests to internet, intranet and
extranet
servers. for all those types we have setup a proxy (proxy-inter, proxy-intra
and
proxy-extra).

so the user-proxy has to decide which paren (proxy-intern, proxy-intra or
proxy-extra) he has to ask for one certain request.

we have setup up proxy-intern ,proxy-intra and proxy-extra as parent
proxies. and
via cache_peer_access rules we distinguish the requests:

        # proxy-intra only responsible for intranet
        cache_peer_access proxy-intra allow url_intra
        cache_peer_access proxy-intra allow url_intramisc
                # all other requests are forbidden
        cache_peer_access proxy-intra deny all
        # proxy-extra only for extranet
        cache_peer_access proxy-extra allow url_extra
        cache_peer_access proxy-extra allow url_extramisc
                # all other requests are forbidden
        cache_peer_access proxy-extra deny all

        # proxy-intra should answer all requests except those
        # for intranet and extranet servers, so first forbid
        # intranet and extranet
        cache_peer_access proxy-inter deny url_intra
        cache_peer_access proxy-inter deny url_intramisc
        cache_peer_access proxy-inter deny url_extra
        cache_peer_access proxy-inter deny url_extra
        cache_peer_access proxy-inter allow all

if we use this rules internet-access is "slow". when testing a
certain website netscape needs 10-15 seconds to finish the requests.

when we now use

        #cache_peer_access proxy-inter deny url_intra
        #cache_peer_access proxy-inter deny url_intramisc
        #cache_peer_access proxy-inter deny url_extra
        #cache_peer_access proxy-inter deny url_extra
        cache_peer_access proxy-inter allow all

in squid.conf, so allow all requests for proxy-inter, netscape needs
5 to 10 seconds to finish the request (this is also the time this
site needs when asked directly - more or less, without a bit of
proxy-overhead).
a recently made perfomance test showed that acls (used in http_access) do
not have an impact on time (at least not a great impact). but acls used in
combination with cache_peer_access seems to be bad.

so my question: is there anything that we have forgotten to consider?
is there an easier way to distinguish intranet, extranet and internet
requests and forward them to the right parent proxy?

when we disable the "cache_peer_access-proxy-inter-deny-rules" internet
seems to be fast, but now we have another problem:
when proxy-intra or proxy-extra don't answer a request for an
internet/extranet-site (either they are too busy or they are not responding
at all), proxy-inter
tries to answer the request, because we have "allowed all" for
proxy-inter...
that is not really what we want?

Markus Rietzler
* <rietzler_software/>
* RZF NRW
* Tel: 0211.4572-130
Received on Thu Aug 01 2002 - 07:32:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:29 MST