I expect I'll get shot down for this, but this is what I run (after a good
deal of trail & error) on my squid boxes ( ~700 users). YMMV.
$ tail /etc/sysctl.conf
#net.inet.tcp.ecn=1
net.inet.ip.ifq.maxlen=512
#net.inet.tcp.ackonpush=1
#
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
#
kern.maxfiles=8192
#
kern.maxclusters=8192
and login.conf:
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles=5000:\
:stacksize=8M:\
:localcipher=blowfish,8:\
:tc=default:
/Pete
On 14. juni 2010, at 22.43, Price, Joe wrote:
> Hello, I'm going to summarize this..
>
> Basically, I have the squid port running on 4.6 i386 GENERIC and it is
> considerably slow. I have about 8 offices running similar configuration and
> they all exhibit similar behavior. When I turn off the proxy I get mad
> download speeds. When I turn the proxy on I get a fraction of my maximum
> throughput. I have been running tests from speedtest.net and I get ~20M
down
> without proxy turned on, and ~5M down with it on.. My upload stays about
the
> same ~2.5M. I've done these tests quite a few times and it seems very
> consistent. This doesn't seem acceptable..
>
> I also tried tinyproxy just to compare/contrast and I get the same speeds
> through that as well. Both were installed from ports. I've done quite a bit
of
> trying different things and reading online, but I don't see any clues to
> something where it's obviously not squid specific.
>
> Any help is greatly appreciated.
>
> Some specs from my primary test firewall:
> cpu0: Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class) 2.81 GHz
> cpu0:
>
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
> real mem = 2146795520 (2047MB)
> avail mem = 2067058688 (1971MB)
>
>
> Squid.conf (from the machine I did the most testing from, and that has the
> most bandwidth and users):
> http_port XXX.XXX.0.108:3128
>
> hierarchy_stoplist cgi-bin ?
>
> cache_dir null /tmp
>
> cache_access_log /var/squid/logs/access.log
>
> cache_store_log none
>
> dns_nameservers localhost
>
> redirect_children 10
>
> redirect_rewrites_host_header off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> acl proxy_users_port myport 3128
>
> http_access allow all
>
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow all
> tcp_outgoing_address XX.XXX.XX.81
>
> cache_mgr info...@xxxxx.xxx
>
> coredump_dir /var/squid/cache
>
Pete Vickers
p...@systemnet.no | +47 48 17 91 00
SystemNet AS
