Re: [squid-users] maxconn semantics
On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: Why is this? It seems ridiculous that at the stage of maturity that SQUID has achieved that it still cant read a sysctl variable to do this dynamically. Because of wierd dependencies on the fd_set data type and a few other things. Regards Henrik
Re: [squid-users] maxconn semantics
On Tue, 13 Jan 2004, Paul wrote: I'd like to limit the total number of connections from anywhere, and would like some clarification. For example, with the following: acl connlimit maxconn 2 http_access deny all connlimit http_access allow !connlimit maxconn is appplied per source IP address so this is not what you are looking for. I can establish at most 2 connections from one IP number. So far so good. But if I come in from another IP number, I can establish additional connections, leading me to believe that the *total* number of connections allowed is essentially unlimited. The total number of connections is limited by the maximum number of filedescriptors your OS allows Squid to use. Each concurrent requests uses up to 3 filedescriptor (client connection, server connection, cache). If Squid runs short of filedescriptors (less than 100 free filedescriptors IIRC) it will automatically stop accepting new client connections. The number of available filedescriptors can be set by ulimit when starting Squid. You should not set this limit lower than ca 128, and you should almost certainly disable persistent connections if considering running Squid with a low amount of filedescriptors or otherwise limited amount of connections. Regards Henrik
Re: [squid-users] maxconn semantics
Thank you very much for your reply, Henrik. So a ulimit of 1000 ought to limit the total number of connections to about 300+. Looks like under my current 2.4 Linux kernel, maximum number of filedescriptors possible is around 26K, but only 1024 allowed per process: # sysctl fs.file-max fs.file-max = 26208 # ulimit -a core file size(blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) unlimited open files(-n) 1024 pipe size (512 bytes, -p) 8 stack size(kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes(-u) 2047 virtual memory(kbytes, -v) unlimited -- Paul
Re: [squid-users] maxconn semantics
On Wed, 14 Jan 2004, Paul wrote: Thank you very much for your reply, Henrik. So a ulimit of 1000 ought to limit the total number of connections to about 300+. Looks like under my current 2.4 Linux kernel, maximum number of filedescriptors possible is around 26K, but only 1024 allowed per process: 1024 is the default limit of Linux and many other OS:es. It can be raised or lowered if you like. To raise the limit you must also recompile Squid with the limit raised. Regards Henrik
Re: [squid-users] maxconn semantics
In a message dated 1/14/04 5:33:19 AM Eastern Standard Time, [EMAIL PROTECTED] writes: 1024 is the default limit of Linux and many other OS:es. It can be raised or lowered if you like. To raise the limit you must also recompile Squid with the limit raised. Why is this? It seems ridiculous that at the stage of maturity that SQUID has achieved that it still cant read a sysctl variable to do this dynamically. BC
[squid-users] maxconn semantics
I'd like to limit the total number of connections from anywhere, and would like some clarification. For example, with the following: acl connlimit maxconn 2 http_access deny all connlimit http_access allow !connlimit I can establish at most 2 connections from one IP number. So far so good. But if I come in from another IP number, I can establish additional connections, leading me to believe that the *total* number of connections allowed is essentially unlimited. What am I doing wrong? Thanks, -- Paul
Re: [squid-users] maxconn semantics
This is better: acl yournet src xxx.xxx.xxx.xxx acl connlimit maxconn 2 http_access allow yournet !connlimit http_access deny all Cheers, .::DAMK::. On Tue, 13 Jan 2004 15:21:44 -0800 (PST), Paul [EMAIL PROTECTED] wrote: I'd like to limit the total number of connections from anywhere, and would like some clarification. For example, with the following: acl connlimit maxconn 2 http_access deny all connlimit http_access allow !connlimit I can establish at most 2 connections from one IP number. So far so good. But if I come in from another IP number, I can establish additional connections, leading me to believe that the *total* number of connections allowed is essentially unlimited. What am I doing wrong? Thanks, -- Paul -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Re: [squid-users] maxconn semantics
Thank you for your reply, but I don't think this is what I'm looking for. What I want has nothing to do with our local net. We want to limit the *grand total* number of connections to our squid from *anywhere*, to give it some breathing room, to leave some memory for other processes, to allow us to remotely log in, etc. Is this possible with squid ACLs? -- Paul On Wed, 14 Jan 2004, damk wrote: This is better: acl yournet src xxx.xxx.xxx.xxx acl connlimit maxconn 2 http_access allow yournet !connlimit http_access deny all Cheers, .::DAMK::.
RE: [squid-users] maxconn semantics
His solution will work. It combines the maxconn and your local net to limit the grand total. Or use the any source with maxconn like he describes if you are using it as a accelerator. -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 6:04 PM To: damk Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] maxconn semantics Thank you for your reply, but I don't think this is what I'm looking for. What I want has nothing to do with our local net. We want to limit the *grand total* number of connections to our squid from *anywhere*, to give it some breathing room, to leave some memory for other processes, to allow us to remotely log in, etc. Is this possible with squid ACLs? -- Paul On Wed, 14 Jan 2004, damk wrote: This is better: acl yournet src xxx.xxx.xxx.xxx acl connlimit maxconn 2 http_access allow yournet !connlimit http_access deny all Cheers, .::DAMK::. ** This message was virus scanned at mail.siliconjunkie.net and any known viruses were removed. For a current virus list see http://www.siliconjunkie.net/antivirus/list.html