Re: [squid-users] Browsing slow after adding squid proxy.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Jul 2011 14:19:23 +1200

 On Wed, 20 Jul 2011 09:13:34 +1200, Gregory Machin wrote:
> Hi.
> Been a long time since I last looked at a squid proxy. After add a
> proxy to the network , browsing seems to have slowed considerably. I
> have build a squid proxy , this is configured into the network on via
> our Sonicwall using the proxy feature. When I looked into the
> configuration I did a few optimizations based on what I found on a
> couple of websites. All though I opted not to tweak the OS more than
> increase the ulimit as I would not expect it to be required given the
> hardware. It is running out of a SSD drive.
>
> When I run top the box is idle for the most part. there are about 100
> users on this site.
>
> So my question is what may I have configured incorrectly or missed
> that would help?
>

 Two things in general to be aware of.

  * Careful with SSD. Squid is a mostly-write software, SSD work best
 with mostly-read. So SSD lifetime and speed is reduced from the well
 advertised specs. That said, they can still improve caching HIT speeds.

  * Browsers will default to reducing their utilized connection count by
 99% when working through a proxy. This can make things appear much
 slower than normal given modern website tendency to require dozens or
 hundreds of objects at once for a simple page load.

  * ensure that no memory swapping is occurring. This will take a major
 bite out of squid performance.

>
> The hardware is :
>
> 4 Gig Ram
> Intel(R) Xeon(R) CPU E3110 @ 3.00GHz (dual core)
> hard disk is SSD 32 GB
>
> The / file system is ext3
> The /var system is ext4 (cache is /var/spool/squid).
>
> The OS is Linux Ubuntu 10 LTS
>
> the squid configuration file looks like
>
 <snip>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge

 If you you don't actually need the "purge" ACL remove it. There is a
 lot of background CPU and RAM needed to support it.

> http_access deny !Safe_ports
> http_access allow CONNECT

 PROBLEM: global unlimited tunnelling.
 http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

 "allow localnet" below will already allow HTTPS traffic if it is not
 blocked by the SSL_Ports safety net.

 If there actually are non-HTTPS ports to which you requires https://
 access add them to the SSL_Ports definition as well as the Safe_Ports
 one. I see you have already doen this for several, although 563 is
 missing from Safe_Ports.

> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
 <snip>
> memory_pools off

 NOTE: memory optimization for squid usage patterns: DISABLED. This may
 be needed in some 64-bit systems with broken memory handling. if yours
 is not one of those, re-enable this.

 That is it for general stuff. You will need to dig a bit deeper and
 find out what specifically are the slowest things going on.

 Amos
Received on Wed Jul 20 2011 - 02:19:29 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 20 2011 - 12:00:03 MDT