On 26.04.2012 08:17, Fuhrmann, Marcel wrote:
> Hello list,
>
> I am a squid newbie, but i am working on it. So please forgive my
> lack of knowledge.
>
> Sometimes several flash videos don't load or it takes a long time for
> starting the video.
> I have read that dns resolution is often a problem for long loading
> times. But
> DNS works fine, the squid server isn't busy and the flash browser
> plugin is up to date.
>
> As far as i know squid has a really good debug log. But as long as i
> don't know what i am searching for, it is not easy for me to
> identify/solve this problem.
>
> Maybe somebody can give me a hint?
>
> I am using squid 3 from ubuntu 10.04 repositories, havp as parent
> proxy and authentication via ADS.
> It is a virtual machine on vSphere5. 2gb ram, raid 10 for
> /var/spool/squid3.
RAID-10 will be slowing your disk I/O down proportionally to the number
of disks you are splicing with the RAID-0 features.
http://wiki.squid-cache.org/SquidFaq/RAID
This is an overall speed bump rather than specifics, although it may
show up worst when transferring larger objects due to their larger disk
I/O requirements.
>
> Here is my squid.conf:
>
> cache_mem 64 MB
> maximum_object_size 10000 KB
> maximum_object_size_in_memory 128 KB
This is fine, but note that is means videos and large images all
operate via the disks and are I/O bound on both network and disk
capacity speeds.
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
> cache_dir aufs /var/spool/squid3 8000 256 256
> dns_nameservers 10.4.1.20
> cache_peer localhost parent 8899 0 no-query no-digest
The parent proxy could be the limit. Most traffic
> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 20
What is squidGuard doing? re-writers and redirectors can be a
bottleneck as Squid waits for them to process the request details.
> cache_effective_user proxy
> error_directory /usr/share/squid3/errors/de-de
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20 startup=0 idle=1
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Domain Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> authenticate_cache_garbage_interval 10 seconds
> authenticate_ttl 300 seconds
> external_acl_type nt_group ttl=5 children=5 %LOGIN
> /usr/lib/squid3/wbinfo_group.pl
> acl INTERNET_SQUID external nt_group internet
NTLM and winbind limit your squid to 256 concurrent logins. You say the
proxy is not loaded, so this should not matter but its something to be
aware of. When that capacity is reached new login attempts will be
blocked waiting for the helpers to become free.
> acl snmptest snmp_community public
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> snmp_port 3401
> snmp_access allow snmptest localhost
> snmp_access deny all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow INTERNET_SQUID
> http_access deny all
> icp_access deny all
> htcp_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
You can try dropping hierarchy_stoplist. It is preventing dynamic
website traffic with query parameters ("?...") going through your peer.
Which may or may not be related to speed differences between objects
with or without ? in the URL.
> access_log /var/log/squid3/access.log squid
> cache_log /var/log/squid3/cache.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
Old pattern. The better one is:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_port 0
>
>
There is nothing really standing out as a cause in this config.
Amos
Received on Wed Apr 25 2012 - 23:31:13 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 26 2012 - 12:00:04 MDT