Optimized Squid Cache Settings

I’ve spent the last year perfecting my squid cache configuration and come up with the following… I have a 1TB  hard drive and a Intel Core Duo processor running at 3.0 (Stepping 0a) operating on OpenSuse 12.3

Performance by the numbers:

Bloomberg.com without Cache:

Average load times (seconds) for 10 run(s)

Test #

Time

DOM Interactive

DOM Complete

Load Event End

1 17:16:05

2.385

3.305

3.48

2 17:16:10

2.167

2.974

3.149

3 17:16:13

2.246

3.068

3.237

4 17:16:17

2.149

2.959

3.169

5 17:16:21

2.218

3.21

3.447

6 17:16:26

2.185

3.872

4.058

7 17:16:31

2.172

3.03

3.211

8 17:16:35

2.306

3.09

3.277

9 17:16:39

2.534

3.425

3.611

10 17:16:43

2.19

3.137

3.357

Average

2.255

3.207

3.4

Bloomberg.com with Cache:

Average load times (seconds) for 10 run(s)

Test #

Time

DOM Interactive

DOM Complete

Load Event End

1 17:14:36

1.79

2.933

3.118

2 17:14:41

3.044

4.098

4.262

3 17:14:45

2.263

3.233

3.425

4 17:14:50

1.982

3.036

3.257

5 17:14:54

1.958

5.053

5.234

6 17:15:00

1.991

2.989

3.164

7 17:15:05

2.002

3.338

3.527

8 17:15:09

2.001

3.291

3.463

9 17:15:14

1.957

3.212

3.386

10 17:15:19

2.028

3.374

3.565

Average

2.102

3.456

3.64

Cache Performance Statistics:

Hits as % of all requests: 5min: 60.6%, 60min: 60.6%
Hits as % of bytes sent: 5min: 78.9%, 60min: 78.9%
Memory hits as % of hit requests: 5min: 2.3%, 60min: 2.3%
Disk hits as % of hit requests: 5min: 86.0%, 60min: 86.0%
Cache Hits: 0.00000 0.00000
Near Hits: 0.11465 0.11465

– Configuration: Last Updated: 06-27-2013

#
#Recommended minimum configuration:
#
always_direct allow all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl Safe_ports port 1-65535
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # http
acl block-fnes urlpath_regex -i .*/fnes/echo

#Enable ecap module for gzip compression
#ecap_enable on
#ecap_service gzip_service respmod_precache 0 ecap://www.vigos.com/ecap_gzip
#loadable_modules /usr/local/lib/ecap_adapter_gzip.so
#acl GZIP_HTTP_STATUS http_status 200
#adaptation_access gzip_service allow GZIP_HTTP_STATUS
#icap_enable on
# icap_send_client_ip on
# icap_send_client_username on
# icap_client_username_encode off
# icap_client_username_header X-Authenticated-User
# icap_preview_enable on
# icap_preview_size 1024
# icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
# adaptation_access service_req allow all
# icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
# adaptation_access service_resp allow all

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

acl noscan dstdomain .symantecliveupdate.com liveupdate.symantec.com update.immunet.com psi3.secunia.com
no_cache deny noscan
always_direct allow noscan
http_access deny block-fnes
http_access allow all

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
http_port 8080 transparent
http_port 8443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/cache/squid/cache0 160000 32 256
cache_dir aufs /var/cache/squid/cache1 160000 32 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp|tiff|webp|bif|gif\?|png\?|jpg\?|jpeg\?|ico\?|bmp\?|tiff\?|webp\?|bif\?|ver|ver\?)$ 66000 90% 100000 override-
expire reload-into-ims ignore-reload
refresh_pattern -i \.(swf|swf\?|js|js\?|wav|css|css\?|class|dat|zsci|do|do\?|ts|ts\?|ver|ver\?|ad|ad\?|vcs|vcs\?)$ 66000 90% 150000 override-expire reload-i
nto-ims
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip) 0 0% 0
refresh_pattern -i \.(bin|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|docx|tiff|pdf|uxx|gz|xls|xlsx|psd|crl|msi|dll|dll\?)$ 66000 90% 200000 override-expire
override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(html|htm|html\?|htm\?)$ 9440 90% 100000 override-expire reload-into-ims
refresh_pattern -i \.(xml|xml?|flow|flow\?)$ 0 90% 100000
refresh_pattern -i \.(json|json\?)$ 1440 90% 5760 override-expire reload-into-ims
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i ^ftp: 5440 90% 10080
refresh_pattern -i ^gopher: 1440 0% 1440
refresh_pattern -i . 0 90% 5760
ignore_expect_100 on
log_icp_queries off
minimum_object_size 0 KB
#buffered_logs on
pipeline_prefetch on
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
#header_replace User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.2
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
maximum_object_size 1 GB
maximum_object_size_in_memory 42 KB
visible_hostname shadow
unique_hostname shadow-DHS
cache_store_log none
shutdown_lifetime 0 second
request_header_max_size 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap GDSF
half_closed_clients off
request_header_access Via deny all
max_filedesc 65535
connect_timeout 15 second
check_hostnames off
cache_effective_group squid
access_log syslog squid
access_log /var/log/squid/access.log squid
client_db off
#forwarded_for off
memory_pools off
cache_mem 1024 MB




Facebooktwittergoogle_plusredditpinterestlinkedinmail