Re: [squid-users] Squid HIT analysis, worm DoS mitigation, and general config tweaking

From: Henrik Nordstrom <>
Date: Wed, 25 Feb 2004 10:43:02 +0100 (CET)

On Wed, 25 Feb 2004, Paul Seaman wrote:

> 1. I want to analyze my squid logs graphically in terms of TCP_HIT,
> and other codes from the logs. I'm sure there's something out there to do
> it already that I'm just not aware of.

The log analysis programs we know about is listed under Log analysis on
the home page.

> 2. Also, we've been feeling the brunt of all the new Welchia variants
> that try port 80 attacks through random, high-frequency portscanning,
> which saps our squid caches of file descriptors. From doing some
> previous list reading, I have set half_closed_connections to off, as
> well as client_persistent connections to off. I didn't turn
> server_persistent to off, because, well, it sounds important.

It is not very important, but with half_closed_connections off you should
not need to touch the server_persistent directive.

> Am I being a pansy for not doing this? I'm also curious how these
> settings help the file descriptor problem, as they sound like they
> adjust network connection behaviour as opposed to anything that impacts
> file descriptors.

Each open network connection uses one filedescriptor.

> Can anyone shed light on how this works? Also, would there be any
> reason a service provider with many diversely screwed-up operating
> systems and corresponding screwed-up browsers would not want to muck
> with these Squid settings?

half_closed_clients you want to turn off in such environment. The other
should only be turned off if the load is too high and rebuilding Squid to
support more filedescriptors is not an option.

> 3. Why is the squid cache so slow when I use diskd?

Is it?

> What guidelines do all of you use for large caches (>20GB) in terms of
> directory structure, memory options, and diskd/no diskd, ufs/no ufs?

Memory is described in the Squid FAQ on memory usage.

As for diskd/aufs, you need one of these as soon as you are going above ca
30-50 request/s, as the default "ufs" cache_dir type quickly gets
limited by disk speed and can not scale beyond the speed of a single
drive. Which of diskd or aufs to use depends on what OS you are using
(aufs for Linux, diskd for most others)

Received on Wed Feb 25 2004 - 03:26:25 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST