@@ -1168,3 +1168,165 @@ known!
11681168What is (not)happening here?
11691169many thanks, L.
11701170
1171+ From brad at brad-house.com Sun Feb 15 20:00:33 2026
1172+ From: brad at brad-house.com (Brad House)
1173+ Date: Sun, 15 Feb 2026 15:00:33 -0500
1174+ Subject: [squid-users] Performance issue -- serving from cache
1175+ In-Reply-To: <40488257-7285-479c-ac23-b6c2345afc34@treenet.co.nz>
1176+ References: <f771f546-f92e-4c74-9dd5-218653b3f701@brad-house.com>
1177+ <40488257-7285-479c-ac23-b6c2345afc34@treenet.co.nz>
1178+ Message-ID: <bc57fede-9470-4686-a033-7c2212633c8a@brad-house.com>
1179+
1180+ On 2/15/26 2:38 AM, Amos Jeffries wrote:
1181+
1182+ > On 15/02/2026 08:45, Brad House wrote:
1183+ >> I've got a squid deployment where serving from cache can be slower
1184+ >> than an uncached download.? I'm seeing speeds of around 50MB/s when
1185+ >> serving from cache, which is much slower than anticipated.? Infact,
1186+ >> when hitting fast upstream servers, serving of a non-cached asset is
1187+ >> faster (even though its still hitting squid to fetch it).
1188+ >>
1189+ >> I'm thinking there's got to be something wrong with my squid
1190+ >> configuration, I'm currently running on Rocky Linux 10 with Squid
1191+ >> 6.10-6.
1192+ >>
1193+ >
1194+ > When your networks I/O is faster than disk I/O, it is best not to
1195+ > store at all.
1196+ >
1197+ > Like so:
1198+ > ? acl fast_servers dst ...
1199+ > ? store_miss deny fast_servers
1200+
1201+
1202+ Our Disk I/O is a few orders of magnitude faster than our internet
1203+ speed, so caching should be able to serve much much faster.? ?I provided
1204+ benchmarks of our Disk I/O measured with FIO on the VM.? We also want to
1205+ be nice to upstream providers we are fetching from.
1206+
1207+
1208+ >> The VM I'm using currently has 4 cores, 16G RAM and 100G of usable
1209+ >> space.
1210+ >
1211+ > You have configured your Squid to use 318 GB of cache. That will not
1212+ > fit within 100 GB.
1213+
1214+
1215+ Sorry, I typo'd that number, it was supposed to say 400G:
1216+
1217+ Filesystem? ? ? Size? Used Avail Use% Mounted on
1218+ /dev/sda4? ? ? ?399G? ?14G? 385G? ?4% /
1219+
1220+
1221+ >> We have a large on site build system that spins up runners for GitHub
1222+ >> actions, and they're constantly fetching large assets from the
1223+ >> internet for each build, hence our desire for a caching proxy.? We'd
1224+ >> rather not switch to Apache Traffic Server as that doesn't have SSL
1225+ >> bump capability (we haven't yet enabled that capability in squid,
1226+ >> however). Hopefully there's a simple configuration I'm missing.
1227+ >
1228+ > In this case I think you want to prevent small objects from being
1229+ > stored in the disk cache. They can benefit from the fast network speed
1230+ > and should not inflate your bandwidth use much.
1231+ >
1232+ > ? cache_dir ... min-size=102400
1233+
1234+
1235+ We'd like to cache even small objects due to rate limiting we can hit at
1236+ the remote sites.? We're spawning thousands of GHAs a day all, a large
1237+ number of which fetch the same files (and we can't just change the fetch
1238+ location as we are building OSS packages which fetch these packages as
1239+ part of their build system).
1240+
1241+
1242+ >>
1243+ >> Just for testing I was pulling large image via http that is below my
1244+ >> max object size:
1245+ >> http://mirrors.edge.kernel.org/ubuntu-releases/20.04.6/
1246+ >> ubuntu-20.04.6-live-server-amd64.iso
1247+ >>
1248+ >> Configuration below:
1249+ >>
1250+ >> acl public src 0.0.0.0/0
1251+ >
1252+ > The above is the same as:
1253+ > ? acl public src ipv4
1254+
1255+
1256+ Thanks
1257+
1258+
1259+ >
1260+ >> acl SSL_ports port 443
1261+ >> acl Safe_ports port 80
1262+ >> acl Safe_ports port 443
1263+ >> http_access deny !Safe_ports
1264+ >> http_access deny CONNECT !SSL_ports
1265+ >> http_access allow localhost manager
1266+ >> http_access deny manager
1267+ >
1268+ >> http_access allow public
1269+ >
1270+ > This is bad. You have an Open Proxy.
1271+ >
1272+ > Even though "public" does not include all the IPv6 range, it does
1273+ > include every possible IPv4 machine on the Internet.
1274+
1275+
1276+ This is on a private internal network segment that only certain systems
1277+ can access (like GHA runners).? We use our firewalls to control access.
1278+
1279+
1280+ >
1281+ >> http_access deny to_localhost
1282+ >> http_access deny to_linklocal
1283+ >> http_access deny all
1284+ >
1285+ > A series of deny followed by "deny all" is only useful if you are
1286+ > supplying custom error pages.
1287+
1288+
1289+ Ok, these entries just came from the stock config install with the
1290+ package from rocky.
1291+
1292+
1293+ > FYI, All these ...
1294+ >
1295+ >> refresh_pattern deb$? ?129600 100% 129600
1296+ >> refresh_pattern udeb$? ?129600 100% 129600
1297+ >> refresh_pattern tar.gz$? 129600 100% 129600
1298+ >> refresh_pattern tar.xz$? 129600 100% 129600
1299+ >> refresh_pattern tar.bz2$? 129600 100% 129600
1300+ >> refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0
1301+ >> refresh-ims
1302+ >> refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
1303+ >> refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
1304+ >> refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
1305+ >> refresh_pattern changelogs.ubuntu.com\/.*? 0? 1% 1
1306+ >>
1307+ >
1308+ > ... are only useful when the repository service does not obey HTTP/1.1
1309+ > properly. Otherwise they are detrimental.
1310+ >
1311+ > Good example, are those package tar/deb files. In a repository,
1312+ > packages contain their version details in the filename and URL. Once
1313+ > created they remain unchanged forever.
1314+ >
1315+ > Whereas, the above rules are forcing Squid to stop using any cached
1316+ > object and replace it once these files reach 90 days old.
1317+
1318+
1319+ That would obviously assume the upstream server is sending proper
1320+ cache-control headers, I haven't verified if that's the case.? I took
1321+ these rules from the squid-deb-proxy package, from what you're saying it
1322+ sounds like that package shouldn't exist anymore.
1323+
1324+ Are there any particular things I should try?? One use said to use rock
1325+ ... are there particular settings?? Are there any known performance
1326+ issues with the 6.10 release I'm using?
1327+
1328+ Thanks.
1329+
1330+ -Brad
1331+
1332+
0 commit comments