Dear all,
I am using Squid as a forward proxy. Download speeds through the proxy
to the internet, and internal webservers, are fine.
However, when forwarding SSL traffic to the same internal servers, the
performance is very, very poor. The even stranger thing is that it seems
to affect uploads through the proxy far more than downloads.
I appreciate that ones first reaction is to check for network problems
or indeed check for issues with the upstream SSL server. However, the
performance is *far* better when connecting from the outside world (and
therefore not going through our proxy).
Worse, if I bring up a web browser on the proxy, and go straight to the
SSL site, performance for an upload is excellent (e.g. 35Mb file in 2
seconds). If I go through the internal loopback interface of the server,
performance is again excellent (35Mb file in 3 seconds).
If I then configure the browser to go through the adapter connection of
the proxy, the performance is then poor (45 seconds). Worse still, if I
connect from a client machine (connected at gigabit through a gigabit
switch) then performance is dreadful (3 minutes).
At this stage, I do not believe that there is anything wrong with any of
the networking equipment, having changed most of it.
I have tried modifying Squid's persistent connections stuff, without any
effect.
A wire trace between Squid and the client shows a long response time
from Squid (85ms) and, after each delay, a 64-byte ACK frame back from
Squid after every client packet.
Squid's cachemgr output shows page faults as 0, low CPU usuage (average
4%) but high select loop time of 120ms. Trying different client software
(Firefox instead of IE) shows no difference. Whilst the uploads are in
progress, Squid's CPU averages again 3 to 5%.
There is still some possibility that there is some kind of network,
adapter or adapter driver issue, but can anyone thing of why Squid
should be far slower from connected clients, than going through its
loopback address, for ** SSL traffic?** Non-SSL traffic is **fine**. A
much older version of Squid, 2.3 Stable 4, is also **fine**.
I am using Squid 2.6 Stable 14, with select loop (as its the only option
for my OS) and 8192 filedescriptors. The operating system is set with
selective ACK on and all the usual BSD-style defaults. The OS itself is
eCS 1.2R (EMX).
Thank you for any thoughts you may have!
Regards,
Stephen
The HENLEY College
www.henleycol.ac.uk
Received on Sun Sep 02 2007 - 05:37:50 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT