On 17.05.2012 04:27, Ali Esf wrote:
> hello
>
> we are using squid just for proxy not for catching.
> we have 4 linux machines (vps) with the following specification and
> need to add 6 other machines to be 10 machines use squid.
>
> specification for each machine:
> ram = 1 GB
> port = 1 Gbps
> cpu = Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2 cores
> os = CentOS Linux 5.8
> hard disk space = 30 GB
> ----------------------------------------
> we have configured for https proxy on port 9090 in this 4 linux
> machines
No you configured squid as an plain-HTTP proxy on port 9090.
>
> the
> problem is that when the number of users raise the speed of proxy
> comes
> down and sometimes it does not connect.and the speed of loading pages
> is too slow.
Normal to see speed decrease as load rises. Do you have numbers for
what you consider "slow", "fast" and "more"?
> we compared the squid with the ccproxy on microsoft
> windows and understood that the ccproxy can support more users than
> squid in the same specification machine.
Really? Squid can support millions of "users". All simultaneously not
doing anything.
NP: Only requests-per-second and concurrent-connection-count metrics
measure proxy capacity properly.
> we think we
> have some problem in configuring squid.
> we want to help us to improve the speed of the squid.
> here is the configuration of the squid.
> if you need vps user pass for monitoring and more information please
> say to email the user pass and ip of the vps.
>
>
>
> we installed the squid with the following commands
> ./configure --prefix=/usr/local/squid
Run "./configure --help" and take note of the "--disable" options
available. If any of them are for features you don't want to use, you
can speed up Squid a little by adding those disable options to remove
the features code.
> make all
> make install
>
>
> the squid version is squid-3.1.19
>
>
3.1 series contains IPv6 support. With two sequential DNS lookups per
domain the DNS handling speed can impact traffic through 3.1 in a major
way.
>
> ------------------------------------------------------------------
> cache deny all
> #
> # Recommended minimum configuration:
> #
> auth_param
> basic program /usr/local/squid/libexec/squid_db_auth --user
> squid_user
> --password c.0.m.p.u.t.e.r==(68)==)( --plaintext --persist
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP
> networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
Reducing the size of the ACL reduces the amount of work done testing
it. Follow the advice listed above and remove the *possible* LAN
networks which you are not using.
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl user_pass_auth proxy_auth REQUIRED
>
>
>
> # replace 10.0.0.1 with your webserver
> IP
>
>
>
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
NOTE: You dropped the CONNECT safety rule.
> http_access allow localnet
This allows all LAN users to bypass proxy authentication. Did you want
that?
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks
> # from where browsing should be allowed
> http_access allow localhost
> http_access allow user_pass_auth
> http_access allow
> all
"http_access allow all" permits anyone on the WAN who fails
authentication to use the proxy anyway.
Amos
Received on Thu May 17 2012 - 00:51:54 MDT
This archive was generated by hypermail 2.2.0 : Thu May 17 2012 - 12:00:05 MDT