Re: [squid-users] Large ACLs and TCP_OUTGOING_ADDRESS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 21 Nov 2008 15:56:35 +1300 (NZDT)

> Where could I find the "theoretical limits" publised by Adrian for 2.7?
>
> Regards
> HASSAN
>

Somewhere in squid-dev over the late 2007- early 2008 he pushed a graph
out comparing cacheboy and Squid-2.7 and Squid-2.HEAD.

All I can find right now is this thread:
  http://www.squid-cache.org/mail-archive/squid-dev/200701/0077.html
  http://www.squid-cache.org/mail-archive/squid-dev/200701/0083.html

And some old graphs on his cacheboy site:
  http://www.cacheboy.net/polygraph/cacheboy_1.4.pre3_test2/one-page.html
looks like he has scraped out another 50rps since the early reports.

One indicates squid is capable of ~500 RPS on regular home hardware. And
the other that a very old version was capable of >3500 RPS on high-end
hardware in 2006.

Amos

>
>
> ----- Original Message -----
> From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: "Nyamul Hassan" <mnhassan_at_usa.net>
> Cc: "Squid Users" <squid-users_at_squid-cache.org>
> Sent: Tuesday, November 18, 2008 05:31
> Subject: Re: [squid-users] Large ACLs and TCP_OUTGOING_ADDRESS
>
>
>> Thank you very much.
>> Those stats look much better than the low peak ones. Though still not
>> Very
>> close to the theoretical limits Adrian published for 2.7.
>>
>> Some very marginal increases may be gained from re-ordering your
>> http_access lines that check for WindowsUpdate. Doing the src check
>> before
>> the dstdomain check (left-to-right) will save a few cycles per request.
>> so: http_access Allow windowsupdate ispros
>> becomes: http_access Allow ispros windowsupdate
>>
>> cache_store_log can be set to 'none' for less time logging debug info
>> you
>> generally don't need.
>>
>> You may want to experiment with the collapsed_forwarding feature. It's
>> designed to reduce server-side network lags so should increase the
>> internal speeds but depends on higher hit ratios for best effect, which
>> at
>> >40% you have.
>>
>> That's all I can see right now that might provide any improvement at
>> all.
>>
>> Amos
>>
>> Nyamul Hassan wrote:
>>> Thank you Amos for your valuable input on this. Please find attached a
>>> snapshot of peak hour traffic.
>>>
>>> I'm also attaching the following graphs:
>>>
>>> 1. Cache Hit Rate
>>> 2. Client Request Rate
>>> 3. CPU IOWait
>>> 4. Service Timers
>>>
>>> I'm also attaching a copy of my cache configuration. Looking at it,
>>> can
>>> you suggest me if I can get any better performance than it is? I think
>>> the IOWait is way too high, and I am using regular commodity SATA HDDs.
>>>
>>> Any input would be greatly appreciated.
>>>
>>> Regards
>>> HASSAN
>>>
>>>
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Amos Jeffries"
>>> <squid3_at_treenet.co.nz>
>>> To: "Nyamul Hassan" <mnhassan_at_usa.net>
>>> Cc: "Squid Users" <squid-users_at_squid-cache.org>
>>> Sent: Monday, November 17, 2008 07:01
>>> Subject: Re: [squid-users] Large ACLs and TCP_OUTGOING_ADDRESS
>>>
>>>
>>>>> Hi,
>>>>>
>>>>> I run squid in an ISP scenario. We have got two identically
>>>>> configured
>>>>> squid caches being load balanced among 4,000 users over a 50 Mbps
>>>>> link.
>>>>> The
>>>>> system runs quite well, although not without the occassional hiccups.
>>>>> But,
>>>>> there is a complain from users about not being able to access some
>>>>> websites
>>>>> because of same external IP. For this, we configured the squid.conf
>>>>> to
>>>>> have
>>>>> ACLs for different user blocks of /24 and have them mapped through
>>>>> different
>>>>> external IPs on each of these boxes.
>>>>>
>>>>> However, not all /24 blocks have the same number of users, and I also
>>>>> have
>>>>> lots of real IPs still lying unused. I thought about creating
>>>>> different
>>>>> ACLs for every 5 or 8 users, and then map them to different external
>>>>> IPs.
>>>>> But, having them distributed in 8 IPs in each group would mean at
>>>>> least
>>>>> 500
>>>>> separate ACLs and their corresponding TCP_OUTGOING_ADDRESS
>>>>> directives.
>>>>>
>>>>> My question is, will this affect the performance of squid? Can squid
>>>>> handle
>>>>> this?
>>>>
>>>> Depends on the ACL type. Squid should be able to handle many easily.
>>>> of
>>>> the ACl you need; src is the fastest, next best is dstdomain, then
>>>> dst.
>>>> So
>>>> for a marginal boost when combining on one line, put then in that
>>>> order.
>>>>
>>>> Just look for shortcuts as you go.
>>>>
>>>>>
>>>>> My servers are each running on Core 2 Duo 2.33 GHz, 8 GB of RAM, 5
>>>>> HDDs
>>>>> (1x80GB IDE for OS, 4x160GB SATA for cache), total 256GB Cache Store
>>>>> (64GB
>>>>> on each HDD). One of the server's stats are (taken at a very low
>>>>> user
>>>>> count
>>>>> time):
>>>>
>>>> Thank you. We are trying to collect rough capacity info for Squid
>>>> whenever
>>>> the opportunity comes up. Are you able to provide such stats around
>>>> peak
>>>> load for our wiki?
>>>> The info we collect can be seen at
>>>> http://wiki.squid-cache.org/KnowledgeBase/Benchmarks
>>>>
>>>> Amos
>>>>
>>>>
>>>>
>>> Cache Manager menu
>>>
>>> Squid Object Cache: Version 2.7.STABLE4
>>>
>>> Connection information for squid:
>>> Number of clients accessing cache: 2133
>>> Number of HTTP requests received: 6213380
>>> Number of ICP messages received: 1441542
>>> Number of ICP messages sent: 1441550
>>> Number of queued ICP replies: 0
>>> Request failure ratio: 0.00
>>> Average HTTP requests per minute since start: 11488.3
>>> Average ICP messages per minute since start: 5330.7
>>> Select loop called: 78705022 times, 0.412 ms avg
>>> Cache information for squid:
>>> Request Hit Ratios: 5min: 41.7%, 60min: 43.8%
>>> Byte Hit Ratios: 5min: 17.5%, 60min: 16.9%
>>> Request Memory Hit Ratios: 5min: 16.2%, 60min: 14.4%
>>> Request Disk Hit Ratios: 5min: 44.2%, 60min: 43.6%
>>> Storage Swap size: 241613712 KB
>>> Storage Mem size: 4194392 KB
>>> Mean Object Size: 35.25 KB
>>> Requests given to unlinkd: 0
>>> Median Service Times (seconds) 5 min 60 min:
>>> HTTP Requests (All): 0.55240 0.55240
>>> Cache Misses: 0.72387 0.68577
>>> Cache Hits: 0.02899 0.02451
>>> Near Hits: 0.64968 0.64968
>>> Not-Modified Replies: 0.00000 0.00000
>>> DNS Lookups: 0.00000 0.00000
>>> ICP Queries: 0.00033 0.00035
>>> Resource usage for squid:
>>> UP Time: 32450.582 seconds
>>> CPU Time: 5725.342 seconds
>>> CPU Usage: 17.64%
>>> CPU Usage, 5 minute avg: 23.55%
>>> CPU Usage, 60 minute avg: 23.66%
>>> Process Data Segment Size via sbrk(): 775752 KB
>>> Maximum Resident Size: 0 KB
>>> Page faults with physical i/o: 2
>>> Memory usage for squid via mallinfo():
>>> Total space in arena: 1937988 KB
>>> Ordinary blocks: 1934155 KB 34179 blks
>>> Small blocks: 0 KB 0 blks
>>> Holding blocks: 35360 KB 8 blks
>>> Free Small blocks: 0 KB
>>> Free Ordinary blocks: 3832 KB
>>> Total in use: 1969515 KB 100%
>>> Total free: 3832 KB 0%
>>> Total size: 1973348 KB
>>> Memory accounted for:
>>> Total accounted: 5661786 KB
>>> memPoolAlloc calls: 882142632
>>> memPoolFree calls: 850766245
>>> File descriptor usage for squid:
>>> Maximum number of file descriptors: 65536
>>> Largest file desc currently in use: 8068
>>> Number of file desc currently in use: 7035
>>> Files queued for open: 4
>>> Available number of file descriptors: 58497
>>> Reserved number of file descriptors: 100
>>> Store Disk files open: 289
>>> IO loop method: epoll
>>> Internal Data Structures:
>>> 6867535 StoreEntries
>>> 432110 StoreEntries with MemObjects
>>> 430724 Hot Object Cache Items
>>> 6854443 on-disk objects
>>>
>>> Generated Mon, 17 Nov 2008 15:36:52 GMT, by cachemgr.cgi/2.7.STABLE4
>>> Cache Manager menu
>>>
>>> authenticate_cache_garbage_interval 3600 seconds
>>> authenticate_ttl 3600 seconds
>>> authenticate_ip_ttl 0 seconds
>>> authenticate_ip_shortcircuit_ttl 0 seconds
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 116.193.170.25
>>> acl localhost src 127.0.0.1
>>> acl ispros_proxies src 116.193.170.24/255.255.255.254
>>> acl proxy01 src 116.193.170.24
>>> acl to_localhost dst 127.0.0.0/255.0.0.0
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80
>>> acl Safe_ports port 1025-65535
>>> acl Safe_ports port 443
>>> acl Safe_ports port 21
>>> acl Safe_ports port 70
>>> acl Safe_ports port 210
>>> acl Safe_ports port 280
>>> acl Safe_ports port 488
>>> acl Safe_ports port 591
>>> acl Safe_ports port 777
>>> acl CONNECT method CONNECT
>>> acl windowsupdate dstdomain download.windowsupdate.com
>>> acl windowsupdate dstdomain www.download.windowsupdate.com
>>> acl windowsupdate dstdomain wustat.windows.com
>>> acl windowsupdate dstdomain c.microsoft.com
>>> acl windowsupdate dstdomain .update.microsoft.com
>>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>>> acl windowsupdate dstdomain crl.microsoft.com
>>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>>> acl wuCONNECT dstdomain www.update.microsoft.com
>>> acl ...........
>>> ...
>>> ...
>>> ...
>>> acl ...........
>>> acl apache rep_header Server ^Apache
>>> http_access Allow manager localhost
>>> http_access Allow manager proxy01
>>> http_access Deny manager
>>> http_access Deny !Safe_ports
>>> http_access Deny CONNECT !SSL_ports
>>> http_access Allow CONNECT wuCONNECT ispros
>>> http_access Allow windowsupdate ispros
>>> http_access Allow CONNECT wuCONNECT ggnn_real
>>> http_access Allow windowsupdate ggnn_real
>>> http_access Allow CONNECT wuCONNECT ggnn_pk64
>>> http_access Allow windowsupdate ggnn_pk64
>>> http_access Allow CONNECT wuCONNECT ggnn_pk128
>>> http_access Allow windowsupdate ggnn_pk128
>>> http_access Allow CONNECT wuCONNECT ggnn_pk256
>>> http_access Allow windowsupdate ggnn_pk256
>>> http_access Allow CONNECT wuCONNECT ggnn_pk512
>>> http_access Allow windowsupdate ggnn_pk512
>>> http_access Allow CONNECT wuCONNECT ggnn_pknight
>>> http_access Allow windowsupdate ggnn_pknight
>>> http_access Allow ...
>>> ...
>>> ...
>>> ...
>>> http_access Allow ...
>>> http_access Allow localhost
>>> http_access Deny all
>>> http_reply_access Allow all
>>> icp_access Allow ispros_proxies
>>> ident_lookup_access Deny all
>>> reply_body_max_size 0 Allow all
>>> follow_x_forwarded_for Deny all
>>> acl_uses_indirect_client on
>>> delay_pool_uses_indirect_client on
>>> log_uses_indirect_client on
>>> ssl_unclean_shutdown off
>>> sslproxy_version 1
>>> http_port 0.0.0.0:3128 transparent protocol=http
>>> tcp_outgoing_address ...
>>> ...
>>> ...
>>> ...
>>> tcp_outgoing_address ...
>>> zph_mode off
>>> zph_local 0
>>> zph_sibling 0
>>> zph_parent 0
>>> zph_option 136
>>> cache_peer ... Sibling 3128 3130 proxy-only
>>> dead_peer_timeout 10 seconds
>>> hierarchy_stoplist cgi-bin
>>> hierarchy_stoplist ?
>>> cache_mem 4294967296 bytes
>>> maximum_object_size_in_memory 65536 bytes
>>> memory_replacement_policy lru
>>> cache_replacement_policy lru
>>> cache_dir aufs /cachestore/cache1 65536 16 256
>>> cache_dir aufs /cachestore/cache2 65536 16 256
>>> cache_dir aufs /cachestore/cache3 65536 16 256
>>> cache_dir aufs /cachestore/cache4 65536 16 256
>>> store_dir_select_algorithm least-load
>>> max_open_disk_fds 0
>>> minimum_object_size 0 bytes
>>> maximum_object_size 1073741824 bytes
>>> cache_swap_low 90
>>> cache_swap_high 95
>>> update_headers on
>>> access_log /var/log/squid/access.log squid
>>> logfile_daemon /usr/lib/squid/logfile-daemon
>>> cache_log /var/log/squid/cache.log
>>> cache_store_log /var/log/squid/store.log
>>> logfile_rotate 10
>>> emulate_httpd_log off
>>> log_ip_on_direct on
>>> mime_table /etc/squid/mime.conf
>>> log_mime_hdrs off
>>> pid_filename /var/run/squid.pid
>>> debug_options ALL,1
>>> log_fqdn off
>>> client_netmask 255.255.255.255
>>> strip_query_terms on
>>> buffered_logs off
>>> netdb_filename /var/log/squid/netdb.state
>>> ftp_user Squid@
>>> ftp_list_width 32
>>> ftp_passive on
>>> ftp_sanitycheck on
>>> ftp_telnet_protocol on
>>> diskd_program /usr/lib/squid/diskd-daemon
>>> unlinkd_program /usr/lib/squid/unlinkd
>>> storeurl_rewrite_children 5
>>> storeurl_rewrite_concurrency 0
>>> url_rewrite_children 5
>>> url_rewrite_concurrency 0
>>> url_rewrite_host_header on
>>> redirector_bypass off
>>> location_rewrite_children 5
>>> location_rewrite_concurrency 0
>>> max_stale 604800 seconds
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> quick_abort_min 16 KB
>>> quick_abort_max 16 KB
>>> quick_abort_pct 95
>>> read_ahead_gap 16384 bytes
>>> negative_ttl 300 seconds
>>> positive_dns_ttl 21600 seconds
>>> negative_dns_ttl 60 seconds
>>> range_offset_limit 0 bytes
>>> minimum_expiry_time 60 seconds
>>> store_avg_object_size 13 KB
>>> store_objects_per_bucket 20
>>> request_header_max_size 20480 bytes
>>> reply_header_max_size 20480 bytes
>>> request_body_max_size 0 bytes
>>> via on
>>> cache_vary on
>>> broken_vary_encoding Allow apache
>>> collapsed_forwarding off
>>> refresh_stale_hit 0 seconds
>>> ie_refresh off
>>> vary_ignore_expire off
>>> request_entities off
>>> relaxed_header_parser on
>>> server_http11 off
>>> ignore_expect_100 off
>>> forward_timeout 240 seconds
>>> connect_timeout 60 seconds
>>> peer_connect_timeout 30 seconds
>>> read_timeout 900 seconds
>>> request_timeout 300 seconds
>>> persistent_request_timeout 120 seconds
>>> client_lifetime 86400 seconds
>>> half_closed_clients on
>>> pconn_timeout 60 seconds
>>> ident_timeout 10 seconds
>>> shutdown_lifetime 30 seconds
>>> cache_mgr ...
>>> mail_from ...
>>> mail_program mail
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> httpd_suppress_version_string off
>>> visible_hostname ...
>>> umask 23
>>> announce_period 31536000 seconds
>>> announce_host tracker.ircache.net
>>> announce_port 3131
>>> httpd_accel_no_pmtu_disc off
>>> delay_pools 0
>>> delay_initial_bucket_level 50
>>> wccp_router 0.0.0.0
>>> wccp_version 4
>>> wccp2_rebuild_wait on
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_assignment_method 1
>>> wccp2_service standard 0
>>> wccp2_weight 10000
>>> wccp_address 0.0.0.0
>>> wccp2_address 0.0.0.0
>>> client_persistent_connections on
>>> server_persistent_connections off
>>> persistent_connection_after_error off
>>> detect_broken_pconn off
>>> digest_generation on
>>> digest_bits_per_entry 5
>>> digest_rebuild_period 3600 seconds
>>> digest_rewrite_period 3600 seconds
>>> digest_swapout_chunk_size 4096 bytes
>>> digest_rebuild_chunk_percentage 10
>>> snmp_port 3401
>>> snmp_access Allow snmp_local localhost
>>> snmp_access Deny all
>>> snmp_incoming_address 0.0.0.0
>>> snmp_outgoing_address 255.255.255.255
>>> icp_port 3130
>>> log_icp_queries on
>>> udp_incoming_address 0.0.0.0
>>> udp_outgoing_address 255.255.255.255
>>> icp_hit_stale off
>>> minimum_direct_hops 4
>>> minimum_direct_rtt 400
>>> netdb_low 900
>>> netdb_high 1000
>>> netdb_ping_period 300 seconds
>>> query_icmp off
>>> test_reachability off
>>> icp_query_timeout 0
>>> maximum_icp_query_timeout 2000
>>> minimum_icp_query_timeout 5
>>> mcast_icp_query_timeout 2000
>>> icon_directory /usr/share/icons
>>> global_internal_static on
>>> short_icon_urls off
>>> error_directory /usr/share/errors/English
>>> err_html_text nonhierarchical_direct on
>>> prefer_direct off
>>> ignore_ims_on_miss off
>>> max_filedescriptors 65536
>>> tcp_recv_bufsize 0 bytes
>>> incoming_rate 30
>>> check_hostnames on
>>> allow_underscore on
>>> dns_retransmit_interval 5 seconds
>>> dns_timeout 120 seconds
>>> dns_defnames off
>>> hosts_file /etc/hosts
>>> dns_testnames netscape.com
>>> dns_testnames internic.net
>>> dns_testnames nlanr.net
>>> dns_testnames microsoft.com
>>> ignore_unknown_nameservers on
>>> ipcache_size 1024
>>> ipcache_low 90
>>> ipcache_high 95
>>> fqdncache_size 1024
>>> memory_pools on
>>> memory_pools_limit 5242880 bytes
>>> forwarded_for on
>>> cachemgr_passwd disable shutdown offline_toggle
>>> cachemgr_passwd XXXXXXXXXX all
>>> client_db on
>>> reload_into_ims off
>>> maximum_single_addr_tries 1
>>> retry_on_error off
>>> as_whois_server whois.ra.net
>>> offline_mode off
>>> uri_whitespace strip
>>> coredump_dir /var/cache
>>> balance_on_multiple_ip on
>>> pipeline_prefetch off
>>> high_response_time_warning 0
>>> high_page_fault_warning 0
>>> high_memory_warning 0 bytes
>>> sleep_after_fork 0
>>> zero_buffers on
>>> windows_ipaddrchangemonitor on
>>>
>>> Generated Mon, 17 Nov 2008 15:48:58 GMT, by cachemgr.cgi/2.7.STABLE4
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
>> Current Beta Squid 3.1.0.2
>>
>
>
Received on Fri Nov 21 2008 - 02:56:41 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 21 2008 - 12:00:03 MST