Skip to content

Squid Proxy is Slow

Sometimes browsing through Squid proxy integrated with Web Safety may seem to be slow. This article will try to show some possible steps to remedy this situation.

Check Basic Network Connectivity

To ensure the problem of slowness of proxy is not in your network being slow by itself, check the basic downloading speed using wget or curl programs running on the proxy box. The following article at serverfault.com may also be helpful.

Usually the ping/tracert/wget tests might reveal possible network problems. The following shows typical output of the fast proxy box.

root@node12:~# ping fast.com
PING fast.com (23.216.240.121) 56(84) bytes of data.
64 bytes from a23-216-240-121.deploy.static.akamaitechnologies.com (23.216.240.121): icmp_seq=1 ttl=58 time=12.2 ms
64 bytes from a23-216-240-121.deploy.static.akamaitechnologies.com (23.216.240.121): icmp_seq=2 ttl=58 time=11.8 ms
64 bytes from a23-216-240-121.deploy.static.akamaitechnologies.com (23.216.240.121): icmp_seq=3 ttl=58 time=9.77 ms

--- fast.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 9.771/11.280/12.249/1.084 ms

root@node12:~# wget -d fast.com
URL transformed to HTTPS due to an HSTS policy
--2020-08-31 15:42:40--  https://fast.com/
Resolving fast.com (fast.com)... 23.216.240.121, 2a02:26f0:d7:3b1::24fe
Connecting to fast.com (fast.com)|23.216.240.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25650 (25K) [text/html]
Saving to: ‘index.html.3’

index.html.3               100%[=====>]  25.05K  --.-KB/s    in 0.007s

2020-08-31 15:42:40 (3.46 MB/s) - ‘index.html.3’ saved [25650/25650]

DNS Lookup Speed

Check the speed of DNS server that Squid uses. There are two places in Web Safety Admin UI that can help with this. First the DNS lookup speed can be seen in the Admin UI / Dashboard / Squid tab as indicated on the following screenshot. The values shall be close to zero.

Squid DNS Speed Dashboard

Then check the internal DNS statistics of Squid, using Admin UI / Squid / General / Runtime Info / DNS (or manually in terminal console using squidclient mgr:idns command). The DNS queue shall be empty proving DNS responses are quick. Also check the number of DNS errors are minimal as indicated on the following screenshot.

Squid DNS Speed Table

If DNS servers indeed are slow, try to deploy DNS caching server, as described in the article DNS Caching Server.

Check CPU and RAM Usage

Web filtering is quite CPU intensive process so it requires powerful CPUs. It might be you are hitting the limits of the available hardware. This can be checked by running htop command on the proxy box and analyzing the CPU usage of squid and wsicapd processes. The more users are using the proxy, the more CPU resources will be consumed. If CPU is close to 100% you might need to consider upgrading the hardware or adding more virtual CPUs to the virtual appliance. Typical output is shown at the following screenshot.

CPU Usage htop

Check Swap

If you have enabled Squid's cache, check that proxy box has enough free RAM available. If system goes into swap generally it means serious freezing of all activities, including web filtering.

Deploy Cluster of Web Safety

Another possible way to distribute the load is to deploy a cluster of Web Safety appliances as explained in this article.

Check Active Directory Integration

If proxy is integrated with Microsoft Active Directory it means Web Safety needs to perform user/group matching for every request that comes from the browser. The domain controllers configured on Admin UI / Squid / Auth / Active Directory Integration need to be correct, click the Test Connection button to see that everything runs quickly. Generally the response for the connection test shall be instant.

Test AD Connection

Check Squid Logs

Be sure to also check the contents of the Squid's cache log in Admin UI / Squid / Logs / Cache Log, it might show some problems with configuration (routing, traffic redirection, incorrect Safe Browsing API keys, eCAP ClamAV antivirus, etc).

Check Safe Browsing and Antivirus Logs

If you have enabled Anti-Virus or Safe Browsing scanning on the proxy box, please see is there anything in the Admin UI / Antivirus / Safe Browser / Logs.