Re: [squid-users] Mixed environment performance

Nathan Bell wrote:

> Hello fellow squid wranglers,
>
> I'm running squid on a network with about 10 linux stations (with 15+
> simultaneous users per station), and about 20 windows stations (with
> only one user per station). Top download speed is the same for both
> linux and windows boxes, but overall browsing is significantly slower
> on the windows boxes. At first I thought the problem was with the
> windows boxes not receiving the dns information quickly, but tests
> have shown otherwise. There is a delay of one to two seconds for each
> connection to squid. For instance, a page with several images would
> take 4 seconds to fully render, first two seconds to load the page,
> then two seconds as it concurrently downloads each image. If the user
> were to go to that page again I can watch the squid logs and see a
> TCP_HIT for each image and the web page, but the render time remains
> the same. If I allow the machine to directly connect to the internet
> (using the same dns servers) there is no such delay when rendering pages.
>
> Each windows box allowed through the proxy is listed in acl/pc_hosts
> and each linux box is listed in acl/unix_hosts with each user either
> in acl/allow_user or acl/deny_user. The pertinant parts of my
> squid.conf are such:
>
> acl allow_user ident "/etc/squid/acl/allow_user"
> acl deny_user ident "/etc/squid/acl/deny_user"
> acl unix_hosts srcdomain "/etc/squid/acl/unix_hosts"
> acl pc_hosts srcdomain "/etc/squid/acl/pc_hosts"

Reverse the next two lines...

> http_access allow allow_user !deny_user unix_hosts
> http_access allow pc_hosts
>
In other words...

http_access allow pc_hosts
http_access allow allow_user !deny_user unix_hosts

... as this will allow the pc_hosts without trying to do an ident lookup.

> Is there a performance penalty for having pc_hosts that don't
> authenticate along side unix_hosts that do? Is squid trying to access
> a non-existant ident server on the windows stations? Is there a better
> way to define access for pc_hosts? Any help with this matter would be
> greatly appreciated.

Yes. Yes. See above. Otherwise, you could run an ident server on the PCs.

>
> The full squid.conf follows:
>
> http_port proxy:8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> request_body_max_size 0
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl porn url_regex "/etc/squid/acl/porn"
> acl porn1 url_regex "/etc/squid/acl/porn1"
> acl noporn url_regex "/etc/squid/acl/noporn"
> acl allow_user ident "/etc/squid/acl/allow_user"
> acl deny_user ident "/etc/squid/acl/deny_user"
> acl allow_sites dstdomain "/etc/squid/acl/allow_sites"
> acl unix_hosts srcdomain "/etc/squid/acl/unix_hosts"
> acl pc_hosts srcdomain "/etc/squid/acl/pc_hosts"
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow allow_sites
> http_access deny porn porn1 !noporn
> http_access allow allow_user !deny_user unix_hosts
> http_access allow pc_hosts
> http_access deny all
> http_reply_access allow all
> icp_access deny all
> cache_effective_user squid
> cache_effective_group squid
> coredump_dir /var/spool/squid
>

Chris
Received on Mon May 22 2006 - 15:29:17 MDT