Re: [squid-users] Maxconn and Indirect client from Amos Jeffries on 2012-04-16 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 17 Apr 2012 11:34:51 +1200

On 17.04.2012 03:37, FredB wrote:
>>
>> maxconn is a inbound connection limit. Squid cannot reasonably
>> control
>> TCP connections which are made by other software to DG since Squid
>> has
>> no part in those connections. There is simply no relevance limiting
>> maxconn on anything except the real TCP/IP details.
>
>
> Yes, but like there is a way with delay pools

Delay pools are a completely different concept. They only apply to a
connection for the duration of a single requests passing through it.
maxconn applies to an entire connection based on the first request
passing through it.

>
> Something like:
> acl my_ldap_auth proxy_auth REQUIRED
> delay_access 1 allow my_ldap_auth
> delay_access 1 deny all
> delay_parameters 1 -1/-1 -1/-1 -1/-1 128000/128000
>
> So I hoped that maybe there was a way to make the same thing with
> maxconn, user jdoe -> 20 requests/s for example
>
> maxconn only considers direct TCP links and it can't using
> acl_uses_indirect_client, there is a reason for that ?

The reason is that "user" and "client" are different concepts and very
different things in networking.

In your stated use case *DG* is the client. "johndoe" is the user.
Now alice, bob, chantell, and john *users* all connect to DG
simultaneously and their requests are relayed to Squid. Squid still only
has 1 client => DG.

A -->|
B -->|-->DG-->Squid
C -->|
J -->|

How many _connections_ does Squid have inbound? 1. From client DG.
How many _users_ does Squid have inbound? 4. From A,B,C,J via client
DG.

A -->|
B -->|-->DG--->|-->Squid
C -->| \-->|
J -->|

How many _connections_ does Squid have inbound? 2. From DG.
How many _users_ does Squid have inbound? 4. From A,B,C,J via client
DG.

Then things get tricky... say J was a HTTP/1.1 client with pipelining
and Squid was not pipelining...

J-->DG--->|-->Squid
\-->|

How many _connections_ does Squid have inbound? 2. From DG.
How many _users_ does Squid have inbound? 1. From J via client DG.

The ACL is max*conn* not max*user*.

To limit user name/labels by their IP address, use max_user_ip. To
limit anything about other their-end TCP connections use DG
configuration.

Amos
Received on Mon Apr 16 2012 - 23:34:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 17 2012 - 12:00:03 MDT