Re: [squid-users] SQUID reverse-proxy configuration for large Web apps

From: Sylvain Beaux <sylvain.beaux_at_gmail.com>
Date: Mon, 21 Jul 2008 09:59:18 +0200

hi,

There are my system informations:

# uname -a
Linux <hostname> 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686
i686 i386 GNU/Linux
Red Hat Enterprise 5.0

# cat /proc/cpuinfo
processor : 0
model name : Intel(R) Pentium(R) 4 CPU 2.80GHz
processor : 1
model name : Intel(R) Pentium(R) 4 CPU 2.80GHz

# top
Mem: 2067440k total, 691124k used, 1376316k free, 190704k buffers

# squid -v
Squid Cache: Version 2.6.STABLE6
configure options: '--build=i686-redhat-linux-gnu'
'--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--includedir=/usr/include' '--libdir=/usr/lib'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid'
'--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm'
'--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge'
'--enable-useragent-log' '--enable-referer-log'
'--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost'
'--enable-underscores'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-cache-digests' '--enable-ident-lookups' '--with-large-files'
'--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config'
'--with-maxfd=16384' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char'
'LDFLAGS=-pie' 'build_alias=i686-redhat-linux-gnu'
'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu'

Squid was installed from a Red Hat RPM package.

---------- squid.conf ----------------------
https_port 10.0.0.1:443 vhost cert=/etc/squid/ssl.crt/server.crt
key=/etc/squid/ssl.key/server.key

acl uc dstdomain webapps.extranet.ext

cache_peer webapps.corporate.com parent 443 0 no-query originserver
name=uc front-end-https=auto no-digest ssl
sslcert=/etc/squid/ssl.crt/server.crt
sslkey=/etc/squid/ssl.key/server.key sslflags=DONT_VERIFY_PEER
cache_peer_access uc allow uc
no_cache deny uc

acl to-ldap dst X.X.X.X

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
"ou=archi,dc=valb,dc=val,dc=ecc,dc=fr" -D
"cn=ldap,cn=users,dc=valb,dc=val,dc=ecc,dc=fr" -w ldap -f
"(&(sAMAccountName=%s))" -h X.X.X.X -p 389

auth_param basic realm extranet.ext
auth_param basic children 5
auth_param basic credentialsttl 1 hour
acl corporate_users proxy_auth REQUIRED

dns_nameservers 127.0.0.1

via on #default on
forwarded_for off # default on

visible_hostname Reverse-proxy

coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
debug_options ALL,1 33,2

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports

http_reply_access allow all
icp_access allow all

http_access allow manager localhost
http_access deny manager

http_access allow corporate_users

http_access allow uc
http_access allow to-ldap localhost

http_access deny all
--------------END----------------------
Sylvain

Haytham KHOUJA a écrit :
> Hi,
> Please post your entire squid.conf and compiling attributes along with
> OS and Hardware
>
> On Fri, Jul 18, 2008 at 5:38 PM, Sylvain Beaux <sylvain.beaux_at_gmail.com> wrote:
>
>> Hi,
>>
>> I need some advises to design SQUID as a reverse proxy for many web
>> apps(~ 20 servers)
>>
>> There will be 500 users using this system 24/7.
>> Each users will have 2 permanent connections using chunk encoding and
>> 1 connection using HTTP keep alive mechanism.
>>
>> Finally Squid will have to process 1000 simultaneous permanent
>> connections and 500 "control" connections.
>>
>> An other point is that squid will have to rewrite the HTTP Location
>> header to support HTTP 302 redirection.
>>
>> I made some tests with the Apache ab product on a 2.6 STABLE 6.
>>
>> I tests 1000 simultaneous connections using keep alive. each
>> connections request 3 times the same url. I aims to test SQUID in a
>> heavy load and simulate 1000 permanent connections
>>
>> This test, unfortunatly, was not really good: 2838 requests failed.
>>
>> Concurrency Level: 1000
>> Time taken for tests: 44.672 seconds
>> Complete requests: 3000
>> Failed requests: 2838
>>
>> I were 3 main errors during the test :
>> X-Squid-Error: ERR_SOCKET_FAILURE 24
>> X-Squid-Error: ERR_CONNECT_FAIL 71
>> X-Squid-Error: ERR_CANNOT_FORWARD 0
>>
>> Is there a limitation on SQUID for simultaneous users like limited tcp
>> port range or something else ?
>>
>> thanks
>>
>> Sylvain
Received on Mon Jul 21 2008 - 07:55:32 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 21 2008 - 12:00:05 MDT