How to configure Squid can improve the performance ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to configure Squid can improve the performance ?

赵 俊

Thanks for reading my Email.

I have two questions:

My first question is how many maximum concurrent connection and the maximum new connection of squid are.

The second question is how to configure Squid can improve  the maximum concurrent connection,maximum new connection and the performance .

I used 3.5.27 version.

My squid.conf is:

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
acl NCACHE method GET
store_miss deny all
via off

# Squid normally listens to port 3128
http_port 3128 
https_port 192.168.XX.XXX:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem  options=NO_SSLv3,NO_SSLv2

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1
ssl_bump stare ssl_step2
ssl_bump bump ssl_step3

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

#Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
maximum_object_size_in_memory 4096 KB

ipcache_size 1024 MB
ipcache_low 90
ipcache_high 95
fqdncache_size 1024 MB

cache_mem 2048 MB
cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#icap
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_send_client_ip on
adaptation_meta X-Client-Port "%>p"
icap_206_enable on
icap_persistent_connections off

icap_service service_req reqmod_precache 0 icap://192.168.XX.XXX:1344/echo
icap_service service_res respmod_precache 1 icap://192.168.XX.XXX:1344/echo
adaptation_access service_res allow all
adaptation_access service_req allow all

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to configure Squid can improve the performance ?

Amos Jeffries
Administrator
On 11/04/18 13:48, 赵 俊 wrote:
> Thanks for reading my Email.
>
> I have two questions:
>
> My first question is how many maximum concurrent connection and the
> maximum new connection of squid are.
>


There are 64K ports on an IP address. Your Squid and machine also has a
filedescriptors (FDs) limit it is 64K by default but may be smaller (eg
on Windows it is 256). The smaller of those two numbers is the upper
limit Squid can use.

The ports number is shared between client connections, server
connections and both types of ICAP connections.

The FDs number is shared by the same things as the ports number, as well
as disk files in-use.


You can maybe increase FDs with squid.conf max_filedescriptors, or if
that does not work rebuild Squid with --max-filedescriptors= build
option. Use the ulimit tool on non-Windows machines to increase the OS
limit before starting Squid.



> The second question is how to configure Squid can improve  the maximum
> concurrent connection,maximum new connection and the performance .
>

If FD available is being your limit you can maybe increase it with
squid.conf max_filedescriptors config option. Of if that does not work
rebuild Squid with --max-filedescriptors= build option. Use the ulimit
tool on non-Windows machines to increase the OS limit before starting Squid.


> I used 3.5.27 version.
>
> My squid.conf is:
...
>
> # And finally deny all other access to this proxy
> acl NCACHE method GET
> store_miss deny all

The "store_miss deny all" above will be preventing HTTP objects from
caching. That means every request will consume one extra server
connection and ICAP RESPMOD connection.
 Your Squid will need some amount of less connections if things are
caching. So you may want to remove this.


> via off
>
> # Squid normally listens to port 3128
> http_port 3128 
> https_port 192.168.XX.XXX:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem  options=NO_SSLv3,NO_SSLv2

NP: If cert= and key= are in the same file like this you do not have to
configure key=.

Also, for Squid-3.* add sslflags=NO_DEFAULT_CA on the above port line.
That will free up a lot of memory in OpenSSL for other things it may be
needed for.


>
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
>
> ssl_bump peek ssl_step1
> ssl_bump stare ssl_step2
> ssl_bump bump ssl_step3
>
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>

ssl_crtd is a little bit unusual for helpers in that it holds up the TLS
handshake which is somewhat critical to do fast. So it is probably best
to use more than startup=1 to reduce Squid memory usage and delays.

As a general "rule of thumb" look at your running proxy and see how many
helpers it is needing to start for your normal traffic. Use that as the
startup= value.



The below cache_dir, object_size, cache_mem, and cache_swap directives
are not useful while you have "store_miss deny all" preventing cache
storage being used.

> #Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /usr/local/squid/var/cache/squid 4096 16 256
> minimum_object_size 0 KB
> maximum_object_size 4096 KB
> maximum_object_size_in_memory 4096 KB
>
> ipcache_size 1024 MB
> ipcache_low 90
> ipcache_high 95
> fqdncache_size 1024 MB
>
> cache_mem 2048 MB
> cache_swap_low 90
> cache_swap_high 95
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> #icap
> icap_enable on
> icap_preview_enable on
> icap_preview_size 1024
> icap_send_client_ip on
> adaptation_meta X-Client-Port "%>p"
> icap_206_enable on
> icap_persistent_connections off

The above disable of persistence on ICAP connections will be slowing
Squid down since it has to repeat TCP handshakes *twice* for every
single message through the proxy.


>
> icap_service service_req reqmod_precache 0 icap://192.168.XX.XXX:1344/echo
> icap_service service_res respmod_precache 1 icap://192.168.XX.XXX:1344/echo
> adaptation_access service_res allow all
> adaptation_access service_req allow all
>

You can maybe improve ICAP connection use by tuning some traffic not to
use adaptation. For example CONNECT messages are being SSL-Bump'ed so
they are best not to be adapted.
For example:
  adaptation_access service_req deny CONNECT
  adaptation_access service_req allow all


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users