RE: [squid-users] How to make Allow/Deny Rules process faster ...

From: Christopher Kurtis Koeber <ckoeber_at_gmail.com>
Date: Wed, 15 Aug 2012 20:41:26 -0400

Here is the squid.conf. If there are any optimizations I can do let me know.

The application that uses the "acl Citrix_Ports port 2598" rule is what I am
concerned about.

I probably commented out some safety/admin stuff due to troubleshooting.

Just as a note, the actual proxy process works fast; everything comes up
fine on the network. Just slow for certain apps.

------------------------------------------

http_port 3128

visible_hostname [Our Proxy FQDN]

refresh_pattern ^ftp: � � � � � 1440 � �20% � � 10080
refresh_pattern ^gopher: � � � �1440 � �0% � � �1440
refresh_pattern -i (/cgi-bin/|\?) 0 � � 0% � � �0
refresh_pattern . � � � � � � � 0 � � � 20% � � 4320

acl manager url_regex -i ^cache_object:// +i
^https?://[^/]+/squid-internal-mgr/
#acl manager url_regex -i ^cache_object:// /squid-internal-mgr/

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8 � � # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 � � � # RFC 4193 local private network range
acl localnet src fe80::/10 � � �# RFC 4291 link-local (directly plugged)
machine � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
� � � � � � s

acl blacklist-sites dstdom_regex -i "/etc/squid/blacklist-sites"
acl whitelist-sites dstdom_regex -i "/etc/squid/whitelist-sites"

acl SSL_ports port 443

###########################################
####### Ports for Particular User ####################
###########################################
acl Citrix_Ports port 2598
acl Citrix_Ports port 2589
acl Citrix_Ports port 1494
acl Citrix_Ports port 1452
# acl Citrix_Ports port 8080
# acl Citrix_Ports port 443
# acl Citrix_Ports port 80
# acl Citrix_Ports port 433
###########################################
###########################################
###########################################

acl Safe_ports port 80 � � � � �# http
acl Safe_ports port 21 � � � � �# ftp
acl Safe_ports port 443 � � � � # https
acl Safe_ports port 70 � � � � �# gopher
acl Safe_ports port 210 � � � � # wais
acl Safe_ports port 1025-65535 �# unregistered ports
acl Safe_ports port 280 � � � � # http-mgmt
acl Safe_ports port 488 � � � � # gss-http
acl Safe_ports port 591 � � � � # filemaker
acl Safe_ports port 777 � � � � # multiling http
acl CONNECT method CONNECT

http_access deny manager
# http_access deny !Safe_ports
# http_access deny CONNECT !SSL_ports
http_access deny adobe-sites
http_access allow Citrix_Ports
http_access allow CONNECT Citrix_Ports
http_access allow whitelist-sites
http_access allow manager localhost
http_access allow manager localnet
http_access allow localhost
http_access allow localnet

cache_mgr myadminemail_at_mydomain.com
cache_mem 1024 MB
cache_dir ufs /var/cache/squid 102400 32 1024
cache_effective_user squid
cache_effective_group squid

log_fqdn on

Regards,
Christopher Koeber

On Wed, Aug 15, 2012 at 8:06 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
On 16.08.2012 10:17, Christopher Kurtis Koeber wrote:
Hello,

We have Squid version 3.1.19 running on our network and everything works OK
but we have noticed that rules set up to allow and deny access tend to be a
little slow.

So, if an application that we have set to be allowed on our network runs it
takes a while for it to connect becaue Squid is processing a rule for the
port for that application. Once Squid allows the application to connect (via
the "CONNECT" method) then everything works fine but it takes a long time
(30-60 seconds) for the rule allowing that application to connect to apply.

What can I do to fix this?

Start with showing us the access configuration please.

So far all we can say is "well, you start with optimizing the order", but
can't point you at particular details. For example do you have several
million regex patterns being processed? or a slow DNA lookup?

Once the order is streamlined for minimal tests performed it is easier to
debug test and see where the remaining bottlenecks are.

Amos
Received on Thu Aug 16 2012 - 00:41:34 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 16 2012 - 12:00:02 MDT