Finding bottlenecks on a proxy server

To: netbsd-users%netbsd.org@localhost
Subject: Finding bottlenecks on a proxy server
From: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Date: Mon, 4 Mar 2019 15:42:05 +0000 (GMT)

I'm using squid and danguardian as a content-filtering web-proxy combo.

These are arranged in the chain:
clients -> squid (1) -> dansguardian -> squid (2) -> Internet

The first squid provides the most flexible filtering (time of day, MACaddress, user authentication, client IP/port, etc.). It then speaks todansguardian as an upstream proxy. dansguardian then speaks tosecond squid instance to do the actual fetching (some requests bypassdansguardian on the basis of certain access rules).

squid (1) run as user squid and runs as a single process. Its processlimits are:


proc.868.rlimit.cputime.soft = unlimited
proc.868.rlimit.cputime.hard = unlimited
proc.868.rlimit.filesize.soft = unlimited
proc.868.rlimit.filesize.hard = unlimited
proc.868.rlimit.datasize.soft = 8589934592
proc.868.rlimit.datasize.hard = 8589934592
proc.868.rlimit.stacksize.soft = 4194304
proc.868.rlimit.stacksize.hard = 134217728
proc.868.rlimit.coredumpsize.soft = unlimited
proc.868.rlimit.coredumpsize.hard = unlimited
proc.868.rlimit.memoryuse.soft = 6220451840
proc.868.rlimit.memoryuse.hard = 6220451840
proc.868.rlimit.memorylocked.soft = 2073483946
proc.868.rlimit.memorylocked.hard = 6220451840
proc.868.rlimit.maxproc.soft = 1024
proc.868.rlimit.maxproc.hard = 2068
proc.868.rlimit.descriptors.soft = 24576
proc.868.rlimit.descriptors.hard = 24576
proc.868.rlimit.sbsize.soft = unlimited
proc.868.rlimit.sbsize.hard = unlimited
proc.868.rlimit.vmemoryuse.soft = unlimited
proc.868.rlimit.vmemoryuse.hard = unlimited
proc.868.rlimit.maxlwp.soft = 1024
proc.868.rlimit.maxlwp.hard = 2048

dansguardian run as user dangrdn and runs as a traditionalforking parent/child pool. It listens on port 8124. There is a limit of250 child processes. The parent process has the following limits:


proc.1231.rlimit.cputime.soft = unlimited
proc.1231.rlimit.cputime.hard = unlimited
proc.1231.rlimit.filesize.soft = unlimited
proc.1231.rlimit.filesize.hard = unlimited
proc.1231.rlimit.datasize.soft = 268435456
proc.1231.rlimit.datasize.hard = 8589934592
proc.1231.rlimit.stacksize.soft = 4194304
proc.1231.rlimit.stacksize.hard = 134217728
proc.1231.rlimit.coredumpsize.soft = unlimited
proc.1231.rlimit.coredumpsize.hard = unlimited
proc.1231.rlimit.memoryuse.soft = 6220451840
proc.1231.rlimit.memoryuse.hard = 6220451840
proc.1231.rlimit.memorylocked.soft = 2073483946
proc.1231.rlimit.memorylocked.hard = 6220451840
proc.1231.rlimit.maxproc.soft = 320
proc.1231.rlimit.maxproc.hard = 320
proc.1231.rlimit.descriptors.soft = 320
proc.1231.rlimit.descriptors.hard = 320
proc.1231.rlimit.sbsize.soft = unlimited
proc.1231.rlimit.sbsize.hard = unlimited
proc.1231.rlimit.vmemoryuse.soft = unlimited
proc.1231.rlimit.vmemoryuse.hard = unlimited
proc.1231.rlimit.maxlwp.soft = 1024
proc.1231.rlimit.maxlwp.hard = 2048

The parent process has a unix socket connection to each child and afew extra descriptors for log, files, etc. It appears to use 6 moredescriptors than current children, so the limits above should be ample.Each child uses 10 (if dormant) or 12 (if active) descriptors and theyinherit the above limits.

The second squid process runs as user nobody and is (currently) configuredto do no caching or access logging. I'll refer to it as squidnc (nc = nocache). It listens on port 8123. It has the same process limits as thefirst squid process.

At busy times, the dansguardian processes stack up and hit the 250 limit.Web access then slows to a crawl as requests queue waiting for afree child. At that point users start shouting and time toinvestigate is short.

Both squid processes have a similar amount of file descriptors open. Themain squid is around 40 higher reflecting the fact that it is manipulatingits cache and there are a few helpers running. CPU usage is low. top showsthe squids are in kqueue state. Inbound bandwidth is not limiting this.


squidnc does not log anything. danguardian logs:

dansguardian[11094]: Error 9 (Bad file descriptor) connecting to proxy127.0.0.1:8123 by client 10.4.4.2

My theory is that squidnc is the bottleneck (even though it is doing theleast work), however I do not have any hard evidence of this. I am lookingfor help on finding and fixing any such bottlenecks or, if I'm looking inentirely the wrong place, suggestions of better places to look.


All on NetBSD 7.2_STABLE amd64 with adequate RAM.

--
Stephen

Follow-Ups:
- Re: Finding bottlenecks on a proxy server
  - From: Brett Lymn
- Re: Finding bottlenecks on a proxy server
  - From: Robert Elz

Prev by Date: Re: netbsd-7 i386 floating point troubles
Next by Date: mutt wants sasl
Previous by Thread: propose repo nomenclature
Next by Thread: Re: Finding bottlenecks on a proxy server
Indexes:

Home | Main Index | Thread Index | Old Index