HTTP Anti-Virus Proxy

Hi,
Could some of the long-time users of HAVP in production environments here share their experiences on hardware specifications for a 1U rack running 32 bit Linux /w Gigabit LAN for medium enterprise use up to 250 users?

What about up to 500 users, or does setting up more HAVP servers and load balancing them seem a better idea with so many concurrent connections? What's the most users per server before performance starts to take a noticeable hit?

We're looking at using HAVP + 2 AV vendors including ClamAV at the gateway, with McAfee Enterprise on the Windows nodes. The machine will be running lighthttpd, BSD spamd, Frox, Privoxy, Squid and 2 AVs (using lib scanning) with HAVP. It's sole use will be scanning HTTP, FTP and SMTP/POP traffic.

Instead of the suggested Squid --> HAVP --> Squid sandwich, we're currently testing HAVP --> Privoxy --> Squid
Any comments on the proxy chaining are welcome, we simply like the performance of Privoxy, assuming we're not caching, of course.

What has been the bottleneck in terms of hardware performance in your experience?
It was suggested on a ClamAV list that the CPU is the most common bottleneck much before disk I/O (which I was a little surprised by). We're graphing performance on a slow test bed now to get an idea ourselves.

Does intelligent caching in Linux mean that using TmpFS/RAMdisk vs SATA/SCSI would not make a noticeable difference?
We're going to buy some racks to get our own numbers (assuming not scanning slower file types, skipping large file download scanning etc.) and would love suggestions for hardware starting points given (1-250) and (250-500) users:

1) Single vs Dual vs Quad core (Xeon's or newer Core2's)
2) 4 vs 8 vs 16/32/64 GB RAM (ECC perhaps?)
3) SATA vs SCSI vs Solid state disks
4) TmpFS/RAMfs vs HDD (for HAVP/AV scanner temp storage)

We'd like some feedback for an appropriate configuration before we actually commit the hardware and $$.

Well, not so surprisingly I've used it for a long time.. don't know how many others there are.

About 1200 users (ip addresses) use my Squid (~200 req/s) and 600 of them go through HAVP+ClamAV. That makes 1.2 million hits to HAVP each day. If you look at busiest hours, the average is 40 reqs/s. On my simple 2 x 2.8Ghz Opteron the average CPU load is just 10%, that's including Squid itself.

You could calculate that one scanner process takes some 10-20MB of resident memory, so that makes my ~100 processes eat a maximum of 2GB.

I do use heavy whitelisting of most popular sites like newspapers etc, there is no need to pass them to HAVP. Also you must whitelist streaming users/sites as current HAVP design doesn't handle well lots of streaming clients that take up a scanning slot for long time.



If you think about it, scanning mostly 1-100k sized files in fractions of a second doesn't leave much time to hit the disk from cache, does it? Only some metadata is written, depending on the filesystem.

I do use Solaris tmpfs, since it's there by default and works well. Some people have problems on Linux tmpfs, so might be safer not to use it.

Thanks for you inputs Hege.
We'll probably pick up a dual-core Opteron (IBM X326M @ 2.6Ghz), and upgrade its RAM to 2 GB.
Or should we just install 3-4 GB from the get-go?


Wait, you're running HAVP in a production environment on Solaris x86? What version?