一、 概述
squid是一款优秀的open source的代理服务器软件,可以运行于多种系统平台上,但是同其他商业化的产品相比,其缺点也是很明显的,那就是它的命中率和效率相对低下。
本文主要讨论在不改变硬件条件之下,通过以下手段对squid进行性能优化:
1. 编译一个高效的、精简的新内核;
2. 对Cache分区采用reiserfs日志文件系统;
3. 重新编译squid;
4. 优化squid配置;
对于优化的效果,我使用大名鼎鼎的cacheflow公司的测试工具——cfmc进行测试比较:
首先用cfmc自带的一个脚本,从squid.conf的access.log中抽出RUL,然后以这些RUL为依据进行测试。
服务器配置:
型号:HP LH3
CPU:PII450
内存:256MB 100MHz ECC SDRAM DIMM
硬盘:9.1GB Hot-Swap Ultra2 Hard Disk
网卡:Ethernet Express PRO 100 10/100M X 2
操作系统:RedHat 7.1
优化前测试结果:
Iteration 0: Cumulative statistics; 933 seconds elapsed
Total objects: 72599, total object size: 513211102 bytes
Average object size: 7069 bytes
Average object response time: 2707 milliseconds
Objects per second: 77.81
Bytes per second: 550065, min: 550065, max: 879873
URLs discarded due to socket or connection failures: 6955
Redirections: 1017, Cookied objects: 1036
Pragma no-cache objects: 1656, Non-200 HTTP response codes: 2505
优化后测试结果:
Iteration 0: Cumulative statistics; 688 seconds elapsed
Total objects: 72599, total object size: 403833100 bytes
Average object size: 5562 bytes
Average object response time: 1890 milliseconds
Objects per second: 105.52
Bytes per second: 586966, min: 586966, max: 995582
URLs discarded due to socket or connection failures: 16372
Redirections: 1658, Cookied objects: 1000
Pragma no-cache objects: 1454, Non-200 HTTP response codes: 3132
通过对以上测试结果的比较,我们可以看出:
优化后的Objects per second增加了35.6%,Average object response time减少了43.2%,对整体性能的提升还是比较明显的。
二、 编译新内核
我们采取这样的方式来编译内核:取消内核的模块支持,将服务器所有的硬件驱动编译到内核中,此外还要注意将对reiserfs文件系统的支持也编译到内核中,从而在提供系统性能的同时增加系统安全性。在2.4.10以上的版本中,已经内置了对reiserfs文件系统的支持。
首先从http://www.kernel.org/pub/linux/kernel/v2.4/下载linux-2.4.12.tar.gz,这是当前最新的内核。
然后解开内核文件:
tar xvzf linux-2.4.12.tar.gz
进入新生成的目录并执行:
cd linux
make mrproper
make config
根据我的服务器的配置,我选择这样编译内核:
* Code maturity level options
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
* Loadable module support
Enable loadable module support (CONFIG_MODULES) [N/y/?]
* Processor type and features
Processor family (386, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MM
X, Pentium-Pro/Celeron/Pentium-II, Pentium-III/Celeron(Coppermine), Pentium-4, K
6/K6-II/K6-III, Athlon/Duron/K7, Crusoe, Winchip-C6, Winchip-2, Winchip-2A/Winch
ip-3, CyrixIII/C3) [Pentium-Pro/Celeron/Pentium-II]
* General setup
Networking support (CONFIG_NET) [Y/n/?]
PCI support (CONFIG_PCI) [Y/n/?]
PCI access mode (BIOS, Direct, Any) [Any]
defined CONFIG_PCI_GOANY
PCI device name database (CONFIG_PCI_NAMES) [Y/n/?]
System V IPC (CONFIG_SYSVIPC) [Y/n/?]
Sysctl support (CONFIG_SYSCTL) [Y/n/?]
Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF]
defined CONFIG_KCORE_ELF
* Plug and Play configuration
Plug and Play support (CONFIG_PNP) [Y/n/?]
* Block devices
Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/n/?]
* Networking options
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
Routing messages (CONFIG_RTNETLINK) [Y/n/?]
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [Y/n/?]
Unix domain sockets (CONFIG_UNIX) [Y/n/?]
TCP/IP networking (CONFIG_INET) [Y/n/?]
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?]
IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?]
IP: fast network address translation (CONFIG_IP_ROUTE_NAT) [Y/n/?]
IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH) [Y/n/?]
* IP: Netfilter Configuration
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [Y/n/?]
FTP protocol support (CONFIG_IP_NF_FTP) [Y/n/?]
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [Y/n/?]
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [Y/n/?]
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [Y/n/?]
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [Y/n/?]
Packet filtering (CONFIG_IP_NF_FILTER) [Y/n/?]
Full NAT (CONFIG_IP_NF_NAT) [Y/n/?]
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [Y/n/?]
LOG target support (CONFIG_IP_NF_TARGET_LOG) [Y/n/?]
ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/n/?]
* IDE, ATA and ATAPI Block devices
Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [Y/n/?]
Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISK) [Y/n/?]
Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [Y/n/?]
Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [Y/n/?]
* SCSI support
SCSI support (CONFIG_SCSI) [Y/n/?]
* SCSI support type (disk, tape, CD-ROM)
SCSI disk support (CONFIG_BLK_DEV_SD) [Y/n/?]
Maximum number of SCSI disks that can be loaded as modules (CONFIG_SD_EXTRA_DEVS) [8]
* Some SCSI devices (e.g. CD jukebox) support multiple LUNs
Enable extra checks in new queueing code (CONFIG_SCSI_DEBUG_QUEUES) [Y/n/?]
* SCSI low-level drivers
AMI MegaRAID support (CONFIG_SCSI_MEGARAID) [Y/n/?]
SYM53C8XX SCSI support (CONFIG_SCSI_SYM53C8XX) [Y/n/?]
default tagged command queue depth (CONFIG_SCSI_NCR53C8XX_DEFAULT_TAGS) [4]
maximum number of queued commands (CONFIG_SCSI_NCR53C8XX_MAX_TAGS) [32]
synchronous transfers frequency in MHz (CONFIG_SCSI_NCR53C8XX_SYNC) [80]
* Network device support
Network device support (CONFIG_NETDEVICES) [Y/n/?]
* Ethernet (10 or 100Mbit)
Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?]
EISA, VLB, PCI and on board controllers (CONFIG_NET_PCI) [Y/n/?]
EtherExpressPro/100 support (CONFIG_EEPRO100) [Y/n/?]
* Input core support
Input core support (CONFIG_INPUT) [Y/n/?]
Keyboard support (CONFIG_INPUT_KEYBDEV) [Y/n/?]
* Character devices
Virtual terminal (CONFIG_VT) [Y/n/?]
Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?]
Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL) [Y/n/?]
Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?]
Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [8]
* File systems
Reiserfs support (CONFIG_REISERFS_FS) [Y/n/?]
ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/n/?]
/proc file system support (CONFIG_PROC_FS) [Y/n/?]
/dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?]
* Console drivers
VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?]
这里需要说明的是:如果要使用透明代理模式,要仔细选择Netfilter,因为我们还得用iptables来重定向tcp包,以满足透明代理的要求。
假如您的服务器配置与我的不同,只需要更改相应的硬件配置参数即可,比如CPU类型、网卡、SCSI硬盘等。
接着:
make bzImage
完成后,将 arch/i386/boot/目录下的新内核bzImage拷贝到/boot/目录下,并更名为opt:
cp arch/i386/boot/bzImage /boot/
mv /boot/bzImage /boot/opt
然后编辑lilo.conf如下所示:
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
message=/boot/message
default=opt
image=/boot/vmlinuz-2.4.2-2
label=linux
initrd=/boot/initrd-2.4.2-2.img
read-only
root=/dev/sda1
image=/boot/opt
label=opt
read-only
root=/dev/sda1
最后执行:
# lilo
Added linux
Added opt *
好了,这样我们就可以用新内核启动了,您可以发现,这样自己编译的内核要小的多,也快得多。
Squid优化完全手册(2)
http://LinuxAid.com.cn 01-10-14 18:12 58p bye2000
--------------------------------------------------------------------------------
三、 使用reiserfs文件系统
有人做过测试,在相同条件下,如果cache分区使用reiserfs文件系统,性能要比使用ext2的高出20%,所以我们将在cache分区中采用reiserfs文件系统。在上一步中,我们已经在内核中提供了对reiserfs的支持,下面我们要做的,就是将原来的cache分区重新格式化成reiserfs文件系统。
首先从ftp://ftp.namesys.com/pub/reiser ... progs-3.x.0j.tar.gz下载reiserfs文件系统相关工具reiserfsprogs,然后解开该文件:
tar xvzf reiserfsprogs-3.x.0j.tar.gz
进入新生成目录,执行:
./configure
make
make install
这将生成mkreiserfs、reiserfsck、debugreiserfs、resize_reiserfs四个reiserfs的工具。
完成后我们将reiserfs工具安装成功了。这时,假设原来的cache分区为/dev/sda7,所装载的目录为/cache,在对其格式化之前,我们要先umount 原来的分区:
umount /cahce
对分区格式化,我们执行:
mkreiserfs –h r5 /de/sda7
完成后我们修改/etc/fstab,将/cache一行改为:
/dev/sda7 /cache reiserfs notail,noatime 0 0
然后重启动。
四、 重新编译squid
经过大量的测试表明:squid-2.2.STABLE5+hno补丁的组合要比2.3或者是其他版本的squid都要稳定的多、效率也要高的多,如果您不相信可以自己化几天时间做一下测试。所以我们将采用这个版本的squid。
首先从http://www.squid-cache.org/Versions/v2/2.2/下载squid-2.2.STABLE5-src.tar.gz, 从http://prdownloads.sourceforge.net/squid/下载squid-2.2.STABLE5-hno.20000202.snapshot.gz补丁,然后分别解开这两个包:
tar xvzf squid-2.2.STABLE5-src.tar.gz
gunzip –d squid-2.2.STABLE5-hno.20000202.snapshot.gz
然后打补丁:
cd squid-2.2.STABLE5
patch –p1 < ../ squid-2.2.STABLE5-hno.20000202.snapshot
接下来,就可以开始编译squid了,在采用异步io(多线程模式)之外,我们本着这样一个原则:那就是去掉一切不需要的功能,如下所示:
./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --mandir=/usr/share/man --enable-async-io=20 --disable-icmp --disable-delay-pools --disable-mem-gen-trace --disable-useragent-log --enable-kill-parent-hack --disable-arp-acl --enable-poll --disable-ident-lookups
make
make install
其中,--enable-async-io=20说明我们采用异步io,并采用18个线程。
编译通过后,我们就可以开始配置squid了。
五、 优化squid配置
以下是我的squid.conf及相关解释:
#取消对代理阵列的支持
icp_port 0
#对日志文件和pid文件位置进行设置
cache_store_log none
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
emulate_httpd_log on
pid_filename /var/run/squid.pid
#设置运行时的用户和组权限
cache_effective_user squid
cache_effective_group squid
#设置管理信息
visible_hostname proxy.yxtc.edu.cn
cache_mgr bye2000@yxtc.edu.cn
#设置监听地址和端口
http_port 3128
tcp_incoming_address x.x.x.x
udp_incoming_address x.x.x.x
#见下面补充说明
cache_mem 32 MB
cache_dir /cache 6000 14 256
#设置cache对象超时时间
reference_age 3 months
#访问控制设置
acl mynet src 192.168.1.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
http_access allow mynet
http_access deny all
#透明代理设置
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#swap 性能微调
half_closed_clients off
cache_swap_high 100%
cache_swap_low 80%
maximum_object_size 1024 KB
#见补充说明
refresh_pattern -i .html 1440 90% 129600 reload-into-ims
refresh_pattern -i .shtml 1440 90% 129600 reload-into-ims
refresh_pattern -i .hml 1440 90% 129600 reload-into-ims
refresh_pattern -i .gif 1440 90% 129600 reload-into-ims
refresh_pattern -i .swf 1440 90% 129600 reload-into-ims
refresh_pattern -i .jpg 1440 90% 129600 reload-into-ims
refresh_pattern -i .png 1440 90% 129600 reload-into-ims
refresh_pattern -i .bmp 1440 90% 129600 reload-into-ims
refresh_pattern -i .js 1440 90% 129600 reload-into-ims
补充说明:
1.cache_mem 32 MB
注意:cache_mem并不是squid所能使用内存的大小,而是squid用户hot object的物理内存的大小,所以这个值可以小一些。
2.cache_dir /cache 6000 14 256
对于第一级子目录和第二级子目录的计算方法,可以参考笔者以前的文章《用LINUX架设代理服务器(上)(中)(下)》;
3.refresh_pattern -i .html 1440 90% 129600 reload-into-ims等
这几句其实是强行控制对象的超时时间,这违反了http协议的精神,但是在带宽较窄的场合,可以提高明显系统相应时间。
4.注意/cache目录及日志文件的权限,其所有用户和所有组必须为squid;
5.可以采用rpm包的脚本/etc/rc.d/init.d/squid控制squid,也可以采用squid命令控制,具体可以参考squid –h