On Wed, 20 Jul 2011 09:13:34 +1200, Gregory Machin wrote:
> Hi.
> Been a long time since I last looked at a squid proxy. After add a
> proxy to the network , browsing seems to have slowed considerably. I
> have build a squid proxy , this is configured into the network on via
> our Sonicwall using the proxy feature. When I looked into the
> configuration I did a few optimizations based on what I found on a
> couple of websites. All though I opted not to tweak the OS more than
> increase the ulimit as I would not expect it to be required given the
> hardware. It is running out of a SSD drive.
>
> When I run top the box is idle for the most part. there are about 100
> users on this site.
>
> So my question is what may I have configured incorrectly or missed
> that would help?
>
Two things in general to be aware of.
* Careful with SSD. Squid is a mostly-write software, SSD work best
with mostly-read. So SSD lifetime and speed is reduced from the well
advertised specs. That said, they can still improve caching HIT speeds.
* Browsers will default to reducing their utilized connection count by
99% when working through a proxy. This can make things appear much
slower than normal given modern website tendency to require dozens or
hundreds of objects at once for a simple page load.
* ensure that no memory swapping is occurring. This will take a major
bite out of squid performance.
>
> The hardware is :
>
> 4 Gig Ram
> Intel(R) Xeon(R) CPU E3110 @ 3.00GHz (dual core)
> hard disk is SSD 32 GB
>
> The / file system is ext3
> The /var system is ext4 (cache is /var/spool/squid).
>
> The OS is Linux Ubuntu 10 LTS
>
> the squid configuration file looks like
>
<snip>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
If you you don't actually need the "purge" ACL remove it. There is a
lot of background CPU and RAM needed to support it.
> http_access deny !Safe_ports
> http_access allow CONNECT
PROBLEM: global unlimited tunnelling.
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
"allow localnet" below will already allow HTTPS traffic if it is not
blocked by the SSL_Ports safety net.
If there actually are non-HTTPS ports to which you requires https://
access add them to the SSL_Ports definition as well as the Safe_Ports
one. I see you have already doen this for several, although 563 is
missing from Safe_Ports.
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
<snip>
> memory_pools off
NOTE: memory optimization for squid usage patterns: DISABLED. This may
be needed in some 64-bit systems with broken memory handling. if yours
is not one of those, re-enable this.
That is it for general stuff. You will need to dig a bit deeper and
find out what specifically are the slowest things going on.
Amos
Received on Wed Jul 20 2011 - 02:19:29 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 20 2011 - 12:00:03 MDT