Amos Jeffries
Wed, 10 Mar 2010 04:47:41 -0800
GIGO . wrote:
Dear All,I am facing this problem that images are not loading properly into web pages. The clients that are directly on ISA are having better expereince of net browsig then Squid with cache. (Its response is slow). Something to do with my cache settings?? Further information : I have four(4) Gb of physical ram on my server (ubuntu 8.04 LTS). With Physical Raid 1 implemented on IBM 3650 X series. Default Partition Scheme of Ubunutu (Without LVM) is applied. please guide me about it. regards, Bilal My Squid.conf File visible_hostname 10.1.82.53 cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query http_port 10.1.82.53:3128never_direct allow all cache_effective_user proxy cache_mgr bilal.as...@mcb.com.pk coredump_dir /var/sppol/squid3 cache_dir ufs /var/squidcache 50000 16 256
Problem #1: ufs filesystem is slowest available. Use aufs on Linux.
cache_swap_low 75 cache_mem 1000 MB maximum_object_size 195 MB minimum_object_size 12 bytes cache_replacement_policy lru refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl localServers dst 10.1.82.0/24 10.1.80.0/24 10.1.245.0/24 #acl localServers dstdomain .bla.bla.com no_cache deny LocalServers
Problem #2: "no_cache" is obsolete. The above means prevent caching of LocalServers responses. ie: cache deny LocalServers
acl Query urlpath_regex cgi-bin \? cache deny Query hierarchy_stoplist cgi-bin ?
Problem #3: dynamic web objects are extremely common these days and a large portion are cacheable. Maybe the stuff you want cached has a ? in it.
Remove the "Query" ACL and rules.
acl manager proto cache_object http_access allow manager http_access deny manageracl OverConnLimit maxconn 10 http_access deny OverConnLimit
Note: capping connection limits is known to cause noticeable slowdown for clients. The more parallel requests that can be down the faster large multi-object pages download (sites like www.cnn.com with it's legendary 480+ front-page objects [they have improved now]). It's up to you though.
acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 http_access allow localhost acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl FcUsr src "/etc/squid3/FcUsr.conf" acl PUsr src "/etc/squid3/PUsr.conf" acl RUsr src "/etc/squid3/RUsr.conf" acl Working_hours time MTWHF 09:00-17:00 acl inlunchbreak time 13:00-14:30 ####----Definitions for BlockingRules----##### ###Definition of MP3/MPEG acl FTPMP3 url_regex -i ^ftp://.*\.mp3$
Sometimes like this its faster to spit that into two ACLs... acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ http_accesss ... FTP MP3url
acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex "/etc/squid3/pornlist" ####Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com #### Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger ####Definition of Blockig Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim ## Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com .imvu.com ###Disallowing download of executables from web##### acl downloads url_regex "/etc/squid3/download.conf" ###---------------------------------------------########http_access deny PornSites RUsr http_access deny PornSites PUsr http_access deny Sex RUsr http_access deny Sex PUsrhttp_access deny msnd PUsr http_access deny msnd RUsr http_access deny msn PUsr http_access deny msn RUsr http_access deny msn1 PUsr http_access deny msn1 RUsr http_access deny numeric_IPs PUsr http_access deny numeric_IPs RUsrhttp_access deny Skype_UA PUsr http_access deny Skype_UA RUsr http_access deny ym RUsr http_access deny ym PUsrhttp_access deny ymregex RUsr http_access deny ymregex PUsr #----Most Restricted settings Exclusive for Normal users......# http_reply_access deny Movies RUsr http_reply_access deny MP3s RUsr http_access deny FTPMP3 RUsr
http_access deny FTP MP3url
http_reply_access deny deny_rep_mime_flashvideo RUsr http_access deny youtube_domains RUsr http_access deny facebook_sites RUsr http_access deny downloads RUsr http_access allow youtube_domains inlunchbreak PUsr http_access allow facebook_sites inlunchbreak PUsr http_access deny youtube_domains PUsr Working_hours http_access deny facebook_sites PUsr Working_hours http_access allow FcUsr http_access allow PUsr http_access allow RUsr http_access deny all
As a general rule-of-thumb for better speed place the faster ACL first on each line and the slowest at the end. For Squid remote lookups is _the_ slowest around, with regex a close second.
This is a rough estimate of the order (top== fastest) of speed of your ACL types:
src / port / proto / method dstdomain / time urlpath_regex / rep_mime_type / req_mime_type url_regex / browser To speed your Squid up you need a lot of access line changes like this one: before optimizing: http_access allow youtube_domains inlunchbreak PUsr after optimizing: http_access allow PUsr inlunchbreak youtube_domains Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.17