Home / server / Questions / 805638
In Process
Massimo
Asked: 2016-09-28 07:14:26 +0800 CST

browser, proxy.pac, fallback to direct access

  • 772

We have a linux 3.16 with squid 3.4.8 listening on port 3128 ( not transparent proxy ).

And about 1200 windows clients, spread on 50 different sites. They use the proxy to navigate on internet.

Our proxy.pac simplified :

function FindProxyForURL( url, host ) {
    return "PROXY 10.1.1.108:3128; DIRECT";
}

The questions :

  1. I cannot find the value of backlog used by squid3 on its listening socket. Is there a setting or does squid use the linux default ?

  2. squid3 / debian / demon script : why the mainteners set ulimit -n 65535 ?

  3. How can I check if the clients go direct because of the linux server too slow / undersized to accept the incoming connections ? Are there specific logging settings for linux and squid3 ?

The linux server has this tcp backlog :

cat /proc/sys/net/ipv4/tcp_max_syn_backlog

256

Does squid3 inherit this settings when calling

listen( socketfd, backlog )

or does squid3 set its specific value ?

About max open file descriptors

Use operating system limits set by ulimit

It isn't so simple. Our server can open a maximum of

cat /proc/sys/fs/file-max

818029

How many fd can squid3 handle ?

squidclient mgr:info | grep 'file descri'

Sending HTTP request ... done.

Maximum number of file descriptors: 65535

It is a debian 8, and the mantainers built this daemon script

cat /etc/init.d/squid3 | grep ulimit

ulimit -n 65535

So, what is the rationale to limit squid3 fd to 65535 ?

best regards, Sala

internet-explorer firefox proxy squid google-chrome

2 Answers

  1. Please only ask one question at a time.

    which elements do make the browser decide to use the proxy or go direct ? timeout values for IE / Firefox / Chrome ?

    Your PAC tells the browser it may use a proxy or go direct. The browser gets to choose, but should prefer using the proxy. How it does the choosing is browser specific.

    RTFM ... I cannot find the value of backlog used by squid3 on its listening socket. Is there a setting or does squid use the linux default ?

    The OS underlying TCP settings may have an effect on what actually gets delivered to Squid. The squid.conf max_filedescriptors setting determines an upper limit on the number of FD (both sockets and files) Squid can handle concurrently, each incoming client TCP connection requires between 2 and 6 FDs to produce a response.

    • 1

  2. which elements do make the browser decide to use the proxy or go direct ?

    If that is your PAC, Then successful download, and parsing of a that pac file. Once a browser gets a PAC, it doesn't try to not use it after a timeout.

    How can I check if the clients go direct because of the linux server too slow ... to accept the incoming connections ? Are there specific logging settings for linux and squid3 ?

    Well if a client decides not to use the proxy, nothing is going to be logged in squid, since the client isn't using the proxy. Nothing is going to be logged on the Linux box at all really, unless you have setup firewall rules.

    Anyway, if you really want to force the proxy, just block outgoing port tcp 443/80 on your border devices unless the requests come from the proxy.

    • 0