On 4/20/05, Henrik Nordstrom <hno@squid-cache.org> wrote:
>
>
> On Wed, 20 Apr 2005, Thien Vu wrote:
>
> > That's what I'm thinking also, but we have nearly 300 acls and a
> > similar number of http_access rules.
>
> Ok.
>
> What kinds of acls are these?
>
A portion are external_acl_type for ldap lookups for user groups. The
ldap queries themselves are fairly quick, around 200 milliseconds for
the initial lookup but then it should hit the authentication cache
from then on.
The rest are url_regex which involve urls or ports (for the CONNECT)
later defined in the http_access rules. So essentially we have a
population of users and we want to restrict what they can access
depending on what group they're in. Group membership is determined by
ldap lookups.
> > Our setup is like this. We have a machine proxy.company.com that runs
> > both a proxy and a web server. We monitor the web server by grabbing a
> > file every minute. We monitor the proxy by grabbing that same file
> > through the proxy every minute. The proxy is configured to not cache
> > any results (other than dns and authentication credential and other
> > adminitrative data, but specifically not web pages). Over a day, the
> > direct requests to the web server for the file takes an average of 20
> > milliseconds. On the other hand, the requests through the proxy
> > average 888 milliseconds.
>
> Sounds a bit excessive difference indeed.
>
> Do you have a problem with CPU usage?
>
Never any problems with CPU usage, these are like dual p3 1.3 Ghz, so
it's more than enough muscle.
> Is there any difference if you for a test cuts down on the number of
> http_access rules?
I haven't tried this, I have gone into too much detail about how squid
manages its acls, but I'm sure this could be re-arranged to be better
for squid to process. The rules have been written such that the
url_regex acls are in one portion and the http_access is in another
portion. We can probably do something like:
# Group 1
acl foo url_regex ^http://foo.com/bar/baz.html$
acl foo2 url_regex ^http://foo.com/foobar/fubar.html$
http_access allow group1 foo foo2
http_access deny group1
# Group2
...
> Any warnings in cache.log?
The only significant warnings were problems connecting to the ldap
server but this is on the order of like 20 messages a day, so I
imagine most of the time it's hitting the authentication cache.
> Any swap activity on the system?
Very little swap/disk activity. I can try disabling swap though.
> Are you also using a redirector helper?
No redirector helpers.
> What authentication method scheme is used?
For the basic authentication, squid_ldap_auth. For external_acl_type,
squid_ldap_group. We were having issues with too few helpers for the
external_acl_type but that problem has been fixed by increasing
children= to a reasonable number.
Thien
Received on Wed Apr 20 2005 - 03:02:11 MDT
This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT