[squid-users] Straight Apache Server Faster Than Squid Accelerator?!!!

From: Kent, Mr. John \(Contractor\) <kent@dont-contact.us>
Date: Tue, 13 Jul 2004 10:36:24 -0700

Greetings,

Using Squid as an accelerator in front of a seven machine server farm.
Each server is running a regular "light" Apache server on :7777 and
a mod-perl enable "heavy" server on :8888.

Just for fun, thought I'd compare the improvement I got from Squid
over the straight Apache when serving a static page and was dismayed to find that
the straight Apache server was 4 x Faster than squid!

Running :Squid Cache: Version 2.5.STABLE5

Tested using Apache BenchMark /bin/ab

Here is the straight Apache server
./ab -n 800 -c 100 http://europa.nrlmry.navy.mil:7777/tc_pages/tc_home.html
Requests per second: 872.24 [#/sec] (mean)

Here is Squid's output:
./ab -n 800 -c 100 http://www.nrlmry.navy.mil/tc_pages/tc_home.html
Requests per second: 226.61 [#/sec] (mean)

I suspect the reason for this is the complicated perl redirect script I'm using.
But was hoping someone could suggest something to speed things up.

My redirector first switches between the heavy or light servers depending on
if its a cgi script call or not then cycles between the servers in the pool to
achieve load balancing.

I once tried to add FastCGI to the perl redirectors, but did that ever ball things
up and I quickly abandaned it.

Below are my redirector.pl script and my Squid.conf file

Thank you for your assistance,

John Kent
Webmaster
Naval Research Laboratory
Monterey, CA

----------------------------------------------------------------------------------------------------------------------------------------
squid.conf:
# CONFIG FILE FOR WWW_SQUID

# Note recommend you read:
# http://theoryx5.uwinnipeg.ca/guide/scenario/Running_Two_webservers_and_Squid.html
# before touching this config file, john.

#199.9.2.108 => www-new.nrlmry.navy.mil
# 199.9.2.48 => www.nrlmry.navy.mil
# THIS MUST BE AN IP ADDRESS! www.nrlmry.navy.mil will fail!!

#http_port 199.9.2.136:80 199.9.2.137:80

# For kdc2
http_port 192.160.159.132:8080
icp_port 0
#tcp_outgoing_address 127.0.0.1

#httpd_accel_host 127.0.0.1
httpd_accel_host virtual
httpd_accel_port 7777
#httpd_accel_port 80

# NOTE: the RUDE_ROBOTS_IP line is automatically written
# by the rude_robots.pl script which writes the line
# then restarts Squid by running squid -k reconfigure
# acl aclname src ip-address/netmask ... (clients IP address)
acl RUDE_IP src "/users/webuser/www_squid/dyn_conf/Rude_Robots_IP.txt"
#http_access deny RUDE_IP

hierarchy_stoplist /tc\_pages /cgi\-bin /sat\-bin /tc\-bin /focus\-bin /~ /goes\_cc /coamps\-reg

# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.

# Since pages created dynamically by tc-bin and sat-bin have
# an expire time on them I DO want them cached - jk
#hierarchy_stoplist /cgi-bin /~ /goes\_cc /coamps\-reg

acl QUERY urlpath_regex research coamps dev security menu\.txt common index focus dmso flambe adap sampson THUMB\.jpg LATEST\.jpg Latest\.jpg swish dev \~ dev\-bin tc\-dev Mod\-dev training SAIC shared\-bin shared swish cgi\-bin sat\-dev goes\_cc cc composer coamps\-reg wusage sys\-bin banner aerosol Case\_
no_cache deny QUERY

cache_mem 64 MB

# Switched to aufs "threaded" from ufs "non-threaded" suppposed to scale better
# on Linux. jk 29AUG03

#cache_dir diskd /cache 12000 16 256 Q1=72 Q2=64
cache_dir ufs /cache 12000 16 256
cache_access_log /users/webuser/www_squid/logs/access.log
cache_log /users/webuser/www_squid/logs/cache.log

emulate_httpd_log on

pid_filename /users/webuser/www_squid/logs/squid.pid

#debug_options ALL,1,28,9
#debug_options ALL,1

redirect_program /users/webuser/www_squid/dyn_conf/www_redirect.pl
#redirect_program /data/www/web/htdocs_dyn/squid/www_redirect.pl
redirect_children 32

# Cannot use this otion to accelerate multiple back-end servers!
# TAG: redirect_rewrites_host_header
# By default Squid rewrites any Host: header in redirected
# requests. If you are running a accelerator then this may
# not be a wanted effect of a redirector.
#
#Default:
# redirect_rewrites_host_header on
redirect_rewrites_host_header on

acl acceleratedHost dst 199.9.2.134/255.255.255.255 199.9.2.135/255.255.255.255 199.9.2.136/255.255.255.255 199.9.2.137/255.255.255.255 199.9.2.108/255.255.255.255 199.9.2.48/255.255.255.255 199.9.2.69/255.255.255.255 199.9.2.33/255.255.255.255 199.9.2.43/255.255.255.255 199.9.2.92/255.255.255.255 199.9.2.100/255.255.255.255 199.9.2.101/255.255.255.255 199.9.2.102/255.255.255.255 199.9.2.103/255.255.255.255 199.9.2.44/255.255.255.255 199.9.2.72/255.255.255.255 199.9.2.109/255.255.255.255 199.9.2.110/255.255.255.255 199.9.2.111/255.255.255.255 199.9.2.126/255.255.255.255

acl ssl_noauth dstdomain io.nrlmry.navy.mil
acl acceleratedPort port 7777 8888
acl myserver src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 81 3128 7777 8888 8080 81 443 563
acl CONNECT method CONNECT
acl Methods method GET POST HEAD
http_access allow ssl_noauth CONNECT SSL_PORTS

# Cachemgr related acl's
        acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl example src 199.9.2.136/255.255.255.255
        acl example src 199.9.2.137/255.255.255.255
        acl all src 0.0.0.0/0.0.0.0
        http_access allow manager localhost
        http_access allow manager example
        http_access deny manager
        http_access allow all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_access allow acceleratedHost acceleratedPort
http_access allow Methods
# And finally deny all other access to this proxy
http_access deny all

cache_mgr webmaster@nrlmry.navy.mil

# DO NOT RUN AS ROOT!
cache_effective_user webuser
cache_effective_group webgroup

# TAG: request_entities
# Squid defaults to deny GET and HEAD requests with request entities,
# as the meaning of such requests are undefined in the HTTP standard
# even if not explicitly forbidden.
#
# Set this directive to on if you have clients which insists
# on sending request entities in GET or HEAD requests.
#
request_entities on

# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
# and as a proxy, change this to 'on'. Note however that your# proxy users may have trouble to reach the accelerated domains# unless their browsers are configured not to use this proxy for# those domains (for example via the no_proxy browser configuration# setting)
#
httpd_accel_with_proxy off

# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. Squid can be an accelerator for
# different HTTP servers by looking at this header. However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.
#
# However, you will need to enable this option if you run Squid
# as a transparent proxy. Otherwise, virtual servers which
# require the Host: header will not be properly cached.
# NOTE: Setting this to yes WILL break pages!

# JK 29-JAN-02: When this is on, within the Squid access.log
# squid GETS a domain name:
# ie. GET http://kauai.nrlmry.navy.mil:7777/.....
# When this is off squid GETS an IP
# ie GET http://199.9.2.69:7777/focus-docs/....
httpd_accel_uses_host_header off

# TAG: httpd_accel_single_host on|off
# If you are running Squid as an accelerator and have a single backend
# server then set this to on. This causes Squid to forward the request
# to this server irregardles of what any redirectors or Host headers
# says.
#
# Leave this at off if you have multiple backend servers, and use a
# redirector (or host table or private DNS) to map the requests to the
# appropriate backend servers. Note that the mapping needs to be a
# 1-1 mapping between requested and backend (from redirector) domain
# names or caching will fail, as cacing is performed using the
# URL returned from the redirector.
#
# See also redirect_rewrites_host_header.
#
#Default:
# httpd_accel_single_host off

memory_pools on

# IP for DNS server
dns_nameservers 199.9.2.130

# Specifies the number of logfile rotations to make when you
# type 'squid -k rotate'. The default is 10, which will rotate
# with extensions 0 through 9. Setting logfile_rotate to 0 will
# disable the rotation, but the logfiles are still closed and
# re-opened. This will enable you to rename the logfiles
# yourself just before sending the rotate signal.
#
# Note, the 'squid -k rotate' command normally sends a USR1
# signal to the running squid process. In certain situations
# (e.g. on Linux with Async I/O), USR1 is used for other
# purposes, so -k rotate uses another signal. It is best to get
# in the habit of using 'squid -k rotate' instead of 'kill -USR1
# <pid>'.
#
#Default:
logfile_rotate 31
#Description#This specifies the maximum size for HTTP headers in a request. Request headers are usually relatively small (about 512 bytes). Placing a limit on the request header size will catch certain bugs (for example with persistent connections) and possibly buffer-overflow or denial-of-service attacks.
# default 10KB
request_header_max_size 12 KB

# TAG: strip_query_terms
# By default, Squid strips query terms from requested URLs before
# logging. This protects your user's privacy.
#
# To show if CGI's are getting cached.
strip_query_terms off
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
 #!/users/webuser/perl/bin/perl
# www_redirect.pl

# John Kent
# SAIC
# 6-SEP-00

# This routine cycles server requests to the servers listed in the @servers array.

###########################################################################
# LOG
#$VERSION = 3.0;
# + Modified to send all restricted access pages to the PKI enabled server
# VERSION = 2.0;
# 29-JUL-03
# + Now use 2 "pools" one for LIGHT_SERVERS the other for HEAVY_SERVERS
# 9-DEC-02
# In the first regex added [^?] to allow animation selections to work
# 6-SEP-00: written
###########################################################################
$|=1; # Flush pipes

# Put the fully qualified DNS name for the address which
# Squid responds to

#my($dns_server_name) = "calamari";
#my($local_name) = "calamari1";
my($dns_server_name) = "kdc2";
my($local_name) = "kdc2";
my($domain) = "nrlmry.navy.mil";

# This is where all restricted access pages are to be served from
my($PKI_URI) = "https://io.nrlmry.navy.mil:443";

#########################################################################
# NOTE: To change allocation of load among servers add or delete servers
# Modify either the AVAILABLE servers array in Squid_Boss_Config.pm OR
# The numbers of each server in the Squid_Boss_Config.pm file.
# once, servers separated by a space. Note: This line is automatically
# written by /usr/local/bin/www_create_server_pool.pl
#########################################################################
my(@LIGHT_SERVERS) = qw{ deimos europa io phobos web1 web2 web3 };
my(@HEAVY_SERVERS) = qw{ web1 web2 web3 };
#########################################################################

# To see what this script is doing, set DEBUG = 1, restart squid >/usr/local/bin/sudo /usr/local/bin/www_squid -k reconfigure,
# Then watch the /tmp/squid_console >tail -f /tmp/squid_console. You will see how the redirector sends
# incoming requests to either heavy (8888) or light (7777) servers as well as routes it to the various servers
# in the server pool. -jk 18-DEC-02

my($DEBUG) = 0;

   # Kill any Zombies
    my($waitpid);
    sub REAPER {
        $waitpid = wait;
        $SIG{CHLD} = \&REAPER;
    }
    $SIG{CHLD} = \&REAPER;

#me: flambe.nrlmry.navy.mil
#Address: 199.9.2.72

# Hash of servers and their IP numbers
my(%IP) = (www => "199.9.2.136",
           kauai => "199.9.2.69",
           rossby => "199.9.2.33",
           hadley => "199.9.2.43",
           io => "199.9.2.100",
           www2 => "199.9.2.92",
           europa => "199.9.2.101",
           phobos => "199.9.2.102",
           deimos => "199.9.2.103",
           kelvin => "199.9.2.44",
           web1 => "199.9.2.109",
           flambe => "199.9.2.72",
           hail => "199.9.2.75",
           calamari => "199.9.2.130",
           calamari1 =>"199.9.2.134",
           calamari2 =>"199.9.2.135",
           webcache1 =>"199.9.2.136",
           webcache2 =>"199.9.2.137",
           web1 =>"199.9.2.109",
           web2 =>"199.9.2.110",
           web3 =>"199.9.2.111",
           lanai =>"199.9.2.124",
           kdc2 =>"192.160.159.132",
          );

#my(@RESTRICTED_ACCESS) = qw{ pwp nrlonly map\_n\_default\_product\_pages level\_one level\_two changes htdocs\_new sys-docs};

my(@RESTRICTED_ACCESS) = qw{ test_dir };

my($RESTRICT_REGEX) = join ('|', @RESTRICTED_ACCESS);
# Array indiciesmy($i,$j) = 0;

open(LOG, ">>/tmp/squid_console") if ($DEBUG == 1);

while(<>){

    print LOG "$$ < $_\n" if ($DEBUG == 1);

    # Force restricted access items to the RESTRICTED PKI_URl
    if ($_ =~ /$RESTRICT_REGEX/o){
##25948 < http://199.9.2.136:7777/archdat/pwp/ 192.160.159.24/- - GET
        $_ =~ m/^(.+7777).+$/;
        my($URI) = $1;
        print LOG "URI = $URI\n" if ($DEBUG == 1);
        # Replace with Restricted
        $_ =~ s/$URI/$PKI_URI/g;
        print LOG "Line now = $_\n" if ($DEBUG == 1);
        goto DONE;
    }

    # Don't send any GETS with the following terms to mod-perl server

    # Added display10\b and tc_display\b because the Animate form comes in as POST method,
    # (Name value pairs NOT in the URL) thus ends in [^\?] and because for some reason it
    # won't work if passed to the heavy server - jk 20-AUG-02
    # Found that make_thumb.cgi will not work in the heavy servers - jk 24-JAN-03
    # Added aerosol SGI's want to route to 7777

    if ($_ =~ m/display10|tc_display/){
        unless ($_ =~ /[?&=]+/){
           #print LOG "Not sending a display to heavy\n" if ($DEBUG == 1);
           next;
        }
    }

    # server is the name of the server to route the command to
    my($server);

    # Don't send these to a heavy server running on port 8888 if ($_ =~ m/dev|coampsos|adap|servers|make_thumb|animate|shared\-bin|sys\-bin|log|bios|nrlonly|Animate|Java|Gif89|cc|composer|train|coamps|indian\/western|pwp|focus|focus\_b\_right\.cgi|focus\_docs|region|bacimo|aerosol/){
        #print LOG "Not sending to heavy\n" if ($DEBUG == 1);
        next;
    }

# next if ($_ =~ m/./); #Nothing is sent to mod_perl server # Don't send the above gets to mod-perl server

    #redirect to mod_perl server by changing port to 8888
    if ($_ =~ m/sat\-bin|tc\-bin|focus\-bin/){
        # Specify heavy server
        s%(:\d+)?/sat-bin%:8888/sat-bin%i && next;
        s%(\:\d+)?/tc-bin%:8888/tc-bin%i && next;
        s%(\:\d+)?/focus-bin%:8888/focus-bin%i && next;
    }

     # DO NOT ROUTE DEV-BIN to mod_perl!
     # Why? Because the startup.pl file forces mod-perl to preload the sat-bin modules
     # and you will be modifying the dev-bin modules till you are blue in the face
     # wondering why nothing happens!
     #

} continue {

    # Now rotate the servers by replacing server name
    if ($_ =~ m/sat\-bin|tc\-bin|focus\-bin/){
        # Now send to one of the heavy servers
        # Step through all the available servers
        if ($i > $#HEAVY_SERVERS){
            $i = 0;
        }
        ($server) = $HEAVY_SERVERS[$i];
        #print LOG "Sending to heavy server $server\n" if ($DEBUG == 1);

        # Increment to the next heavy server
        $i++;
    }

        # Don't switch servers for the following pages
        # they may be password protected and we don't want multiple challenges or other issues
        # but the protection is set up only
        # on kauai so don't rotate to the other servers
        #NOTE: anything in this unless list will ONLY get sent to Kauai whether or not Kauai is UP!!

        # Get the DNS or IP of the GET from Squid
        # Squid uses the domain name
        $_ =~ /http:\/\/([\w\.]+)/;
        my($input_server) = $1;
        my($new_server);
print LOG "input_server name = $input_server\n" if ($DEBUG == 1);
        # http://www.nrlmry.navy.mil:7777/htdocs_dyn/thumbnails/java_thumbs/75_20021209.1815.goes-8.ir.x.trop.x.jpg
        # Added aerosol because SGI's want to route to 7777 -7FEB03 jk.
        # Removed coamps, adap added banner_ unless ($_ =~ m/dev|coampsos|swish|servers|animate|bios|nrlonly|sys\-bin|log\b|focus|wusage|coamps\-reg|composer|train|swf|indian\/western|pwp|focus|banner_|bacimo/i){

print LOG "server = $server\n" if ($DEBUG == 1);
print LOG "line = $_\n" if ($DEBUG == 1);

            # Rotate server
            # if httpd_accel_uses_host_header is set to on
            # Squid uses the domain name

            # Step through all the available servers
            if ($j > $#LIGHT_SERVERS){
                $j = 0;
            }
            ($server) = $LIGHT_SERVERS[$j];
            #print LOG "Sending to light server $server\n" if ($DEBUG == 1);

            if ($input_server =~ /\d+/){
                 $new_server = $IP{$server};
            } else {
                 $new_server = $server . "." . $domain;
            }

print LOG "new = $new_server\n" if ($DEBUG == 1);

            # If httpd_accel_uses_host_header is set to off, Squid
            # uses the IP number
            # Increment to next light server
            $j++;
        } else { # force to web1 # Force to io 22-JUN-03
print LOG "Forcing $_ to web1\n" if ($DEBUG == 1);

            if ($input_server =~ /\d+/){
                 $new_server = $IP{'web1'};
            } else {
                 $new_server = "web1" . "." . $domain;
            }
        }

        # Make the switch here
        if (/calamari1\.cgi/){
            #s%$input_server%199.9.2.136%;
            $_ = "http://calamari1.nrlmry.navy.mil:7777/nrl-bin/servers_calamar1.cgi";
        } elsif (/calamari2\.cgi/){
            #s%$input_server%199.9.2.137%;
            $_ = "http://calamari2.nrlmry.navy.mil:7777/nrl-bin/servers_calamari2.cgi";
        } else {
            # the big switch s%$input_server%$new_server%;
        }

        # Some extra redirection cases # Forward all flambe requests to the flambe server

#8315 < http://www.nrlmry.navy.mil:7777/pls/flambe/global.global_3hour_frameset? 192.160.159.24/- - GET
#8315 >j = 9 http://flambe.nrlmry.navy.mil:7777/flambe/global.global_3hour_frameset? 192.160.159.24/- - GET

        s%.*[^/pls]([/pls]*\/flambe\/.+)%http://199.9.2.122:4022$1%;

        # Handle some flambe aliases
        s%.*three_hour_gifs\/(.+)%http://199.9.2.122:4022/three_hour_gifs/$1%;
        s%.*flambe_data\/(.+)%http://199.9.2.122:4022/flambe_data/$1%;
        s%.*flambe-bin\/(.+)%http://199.9.2.122:4022/flambe-bin/$1%;

       # Forward coamps requests to the jin server
       # < http://www.nrlmry.navy.mil:7777/coamps-jin/.....
       s%.*coamps-jin\/(.+)%http://jin.nrlmry.navy.mil:2000/$1%;

       # < http://www.nrlmry.navy.mil:7777/coamps-dev/....
       s%.*coamps-dev\/(.+)%http://jin.nrlmry.navy.mil:8000/$1%;

       # < http://www.nrlmry.navy.mil:7777/coamps-web/....
       s%.*coamps-web\/(.+)%http://coamps.nrlmry.navy.mil:8000/$1%;

       # forward requests for the Calamari GUI's
       s%.*servers_calamari1\/(.+)%http://calamari1.nrlmry.navy.mil:7777/$1%;
       s%.*servers_calamari2\/(.+)%http://calamari2.nrlmry.navy.mil:7777/$1%;

       # forward all requests to nrlonly to the PKI enabled https server on Io
       # s%.*nrlonly\/(.+)%https://io.nrlmry.navy.mil/nrlonly/$1%;

DONE:

       print LOG "$$ >j = $j $_\n\n" if ($DEBUG == 1);
       print; # falls through to apache_light

}
#########################################################################
Received on Tue Jul 13 2004 - 11:36:30 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT