Re: [squid-users] squid slows when more user connect to it

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 17 May 2012 12:51:48 +1200

On 17.05.2012 04:27, Ali Esf wrote:
> hello
>
> we are using squid just for proxy not for catching.
> we have 4 linux  machines (vps) with the following specification and
> need to add 6 other machines to be 10 machines use squid.
>
> specification for each machine:
> ram = 1 GB
> port = 1 Gbps
> cpu = Intel(R) Xeon(R) CPU          E5620  @ 2.40GHz, 2 cores
> os = CentOS Linux 5.8
> hard disk space = 30 GB
> ----------------------------------------
> we have configured for https proxy on port 9090 in this 4 linux
> machines

No you configured squid as an plain-HTTP proxy on port 9090.

>
> the
> problem is that when the number of users raise the speed of proxy
> comes
> down and sometimes it does not connect.and the speed of loading pages
> is too slow.

Normal to see speed decrease as load rises. Do you have numbers for
what you consider "slow", "fast" and "more"?

> we compared the squid with the ccproxy on microsoft
> windows and understood that the ccproxy can support more users than
> squid in the same specification machine.

Really? Squid can support millions of "users". All simultaneously not
doing anything.

NP: Only requests-per-second and concurrent-connection-count metrics
measure proxy capacity properly.

> we think we
> have some problem in configuring squid.
> we want to help us to improve the speed of the squid.
> here is the configuration of the squid.
> if you need vps user pass for monitoring and more information please
> say to email the user pass and ip of the vps.
>
>
>
> we installed the squid with the following commands
> ./configure --prefix=/usr/local/squid

Run "./configure --help" and take note of the "--disable" options
available. If any of them are for features you don't want to use, you
can speed up Squid a little by adding those disable options to remove
the features code.

> make all
> make install
>
>
> the squid version is squid-3.1.19
>
>

3.1 series contains IPv6 support. With two sequential DNS lookups per
domain the DNS handling speed can impact traffic through 3.1 in a major
way.

>
> ------------------------------------------------------------------
> cache deny all
> #
> # Recommended minimum configuration:
> #
> auth_param
> basic program /usr/local/squid/libexec/squid_db_auth --user
> squid_user
> --password c.0.m.p.u.t.e.r==(68)==)( --plaintext --persist
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP
> networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines

Reducing the size of the ACL reduces the amount of work done testing
it. Follow the advice listed above and remove the *possible* LAN
networks which you are not using.

>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl user_pass_auth proxy_auth REQUIRED
>
>
>
> # replace 10.0.0.1 with your webserver
> IP
>
>
>
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports

NOTE: You dropped the CONNECT safety rule.

> http_access allow localnet

This allows all LAN users to bypass proxy authentication. Did you want
that?

>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks
> # from where browsing should be allowed
> http_access allow localhost
> http_access allow user_pass_auth
> http_access allow
> all

"http_access allow all" permits anyone on the WAN who fails
authentication to use the proxy anyway.

Amos
Received on Thu May 17 2012 - 00:51:54 MDT

This archive was generated by hypermail 2.2.0 : Thu May 17 2012 - 12:00:05 MDT