Navegaçao as vezes lenta com Squid e Dansguardian

1. Navegaçao as vezes lenta com Squid e Dansguardian

SK5_RJ
(usa Debian)

Enviado em 17/02/2014 - 20:16h

Olá Amigos recentemente eu implementei o Dansguargian e o Squid3(com a ajuda do VOL) na empresa onde eu trabalho e tive resultado bem positivo, porem em alguns momentos a rede da uma parada repentina e volta depois de um tempo.

Dados:
Cerca de 60 micros, link de 120 Mbps
FAst Ethenert ( Chef ainda nao autorizou a compra de Switches gigabits para aproveitarmos 100% do link para navegar) será que da gargalo com a fast Ethernet? algo como paralisar o acesso por instantes...., creio que nao pois utilizávamos anteriormente e nunca ocorreu isto. mas vamos la, abaixo postarei as confs.

Utilizo uma maquina COm 8gb I5 500 HD MOBO GA-B75M-D3h (sei que nao é um server de verdade mas para o que é tem desempenho de sobra).
Bem amigos, onde trabalho é muito corrido e nao tive tempo ainda de vericar logs por log pois tivemos varios acessos indevidos e varios constrangimentos com clientes visualizando(flagrando)pornografia no pc de funcionários entao implementei as pressas, ate entao eu so utilizava o Squid mas adorei as funcionalidades do DG.

Po pessoal alguem ja passou por algo parecido?

DANSGUARDIAN>>>>


#REPORT
reportinglevel = 3

#IDIOMA
languagedir = '/etc/dansguardian/languages'
language = 'ptbrazilian'

#LOGs
loglevel = 3
logexceptionhits = 2
logfileformat = 3

loglocation = '/var/log/dansguardian/access.log'

# Network Settings
filterip = 
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

nonstandarddelimiter = on

#IMAGENS BLOQUEADAS
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

# Filter groups options
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

# Authentication files location
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

#PALAVRAS - PESO
showweightedfound = on
weightedphrasemode = 2

# Positive (clean) result caching for URLs
urlcachenumber = 1000

# Age before they are stale and should be ignored in seconds
urlcacheage = 900

# Clean cache for content (AV) scan results
scancleancache = on

#Smart, Raw and Meta/Title phrase content filtering options
phrasefiltermode = 2

# Lower casing options / 0 = force lower case (default)
preservecase = 0

# Hex decoding options
hexdecodecontent = off

# Force Quick Search rather than DFA search algorithm
forcequicksearch = off

# Reverse lookups for banned site and URLs.
reverseaddresslookups = off

# Reverse lookups for banned and exception IP lists.
reverseclientiplookups = off

# Perform reverse lookups on client IPs for successful requests.
logclienthostnames = off

# Build bannedsitelist and bannedurllist cache files.
createlistcachefiles = on

# POST protection (web upload and forms)
maxuploadsize = -1

# Max content filter size
maxcontentfiltersize = 256

# Max content ram cache scan size
maxcontentramcachescansize = 2000

# Max content file cache scan size
maxcontentfilecachescansize = 20000

# File cache dir
filecachedir = '/tmp'

# Delete file cache after user completes download
deletedownloadedtempfiles = on

# Initial Trickle delay
initialtrickledelay = 20

# Trickle delay
trickledelay = 10

# Download Managers
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

# Content scanner timeout
contentscannertimeout = 60

# Content scan exceptions
contentscanexceptions = off

# Auth plugins
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
authplugin = '/etc/dansguardian/authplugins/ip.conf'

# Re-check replaced URLs
recheckreplacedurls = off

# Misc settings
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on

# Fork pool options
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500

# Sets the maximum number client IP addresses allowed to connect at once.
maxips = 0

# IPC filename
ipcfilename = '/tmp/.dguardianipc'

# URL list IPC filename
urlipcfilename = '/tmp/.dguardianurlipc'

# IP list IPC filename
ipipcfilename = '/tmp/.dguardianipipc'

# PID filename
nodaemon = off

# Disable logging process
nologger = off

# Enable logging of "ADs" category blocks
logadblocks = on

# Enable logging of client User-Agent
loguseragent = off

# Soft restart
softrestart = off

SQUID3


#------------------------------------------------------------------
acl manager proto cache_object
acl redelocal src 192.168.0.0/24
acl localhost src 127.0.0.1/32
#------------------------------------------------------------------
dns-nameservers 8.8.8.8
dns-nameservers 8.8.4.4
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 5000 # VPN
#------------------------------------------------------------------
acl CONNECT method CONNECT
acl purge method PURGE
#update--------------------------
#acl permitido url_regex -i "/etc/squid3/permitido.txt"
#acl restrito url_regex -i "/etc/squid3/restrito.txt"

#------------------------------------------------------------------
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#------------------------------------------------------------------
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#update--------------------

#http_access allow permitido
#http_access deny restrito
#------------------------------------------------------------------
http_access allow redelocal
http_access allow localhost
#------------------------------------------------------------------
http_access deny all
#------------------------------------------------------------------
http_port 3128 intercept
#------------------------------------------------------------------
cache_mem 2000 MB
#------------------------------------------------------------------
maximum_object_size_in_memory 512 KB
#------------------------------------------------------------------
memory_replacement_policy heap GDSF
#------------------------------------------------------------------
cache_replacement_policy heap LFUDA
#------------------------------------------------------------------
cache_dir aufs /var/spool/squid3 40048 16 256
#------------------------------------------------------------------
maximum_object_size 4 GB
minimum_object_size 0 KB

#------------------------------------------------------------------
cache_swap_low 93
cache_swap_high 97
#------------------------------------------------------------------
access_log /var/log/squid3/access.log squid
#------------------------------------------------------------------
cache_store_log none
#------------------------------------------------------------------
mime_table /usr/share/squid3/mime.conf
#------------------------------------------------------------------
cache_log /var/log/squid3/cache.log
#------------------------------------------------------------------
coredump_dir /var/spool/squid3
#------------------------------------------------------------------
refresh_pattern ^ftp:            1440   20%   10080
refresh_pattern ^gopher:         1440   0%   1440
refresh_pattern -i (/cgi-bin/|\?)        0   0%   0
refresh_pattern (Release|Packages(.gz)*)$   0   20%     2880
refresh_pattern .             0   20%   4320
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 260000 90% 260009 override-expire
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$ 260000 90% 260009  override-expire
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 260000 90% 260009 override-expire
refresh_pattern -i \.index.(html|htm)$ 1440 90% 40320
refresh_pattern -i \.(html|htm|css|js)$ 1440 90% 40320

#fazer cache do windows update
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern msgruser.dlservice.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims 
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#_______________________
cache_mgr ti_01@canadense.com.br
#_______________________
visible_hostname Debianserver
#_______________________
detect_broken_pconn on
#_______________________
global_internal_static on
#_______________________
error_directory /usr/share/squid3/errors/Portuguese
#_______________________
memory_pools on
memory_pools_limit 32 MB
#_______________________
pipeline_prefetch on
#_______________________

Parte do IPTABLES


#! /bin/bash
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_string

echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP
#iptables -I OUTPUT -m string --algo bm --string "facebook.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "login.live.com" -j DROP
#iptables -I OUTPUT -m string --algo bm --string "login.live.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "twitter.com" -j DROP
#iptables -I OUTPUT -m string --algo bm --string "twitter.com" -j DROP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -A INPUT -p tcp --dport 3128 -i eth2 -j ACCEPT #Proxy
#iptables -A INPUT -p tcp --dport 80 -i eth2 -j ACCEPT #HTTP
#iptables -A INPUT -p tcp --dport 21 -i eth2 -j ACCEPT #FTP
#iptables -A INPUT -p tcp --dport 53 -i eth2 -j ACCEPT #DNS
#iptables -A INPUT -p udp --dport 53 -i eth2 -j ACCEPT #DNS
#iptables -A INPUT -p tcp --dport 25 -i eth2 -j ACCEPT #SMTP
#iptables -A INPUT -p tcp --dport 110 -i eth2 -j ACCEPT #SSL
#iptables -A INPUT -p udp --dport 110 -i eth2 -j ACCEPT #SSL
#iptables -A INPUT -p tcp --dport 80 -i eth2 -j ACCEPT #SSL
##iptables -A INPUT -p udp --dport 80 -i eth2 -j ACCEPT #SSL
#iptables -A INPUT -p tcp --dport 443 -i eth2 -j ACCEPT #SSL
#iptables -A INPUT -p udp --dport 443 -i eth2 -j ACCEPT #SSL

#(tentativa de corrigir o Dansguardian)  iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 3128 -j REDIRECT --to-ports 8080


#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 3128 -j REDIRECT --to-ports 8080

iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT

#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 4363 -j ACCEPT
 
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -j ACCEPT
 

#iptables -t filter -A FORWARD -p tcp --dport 8443 -j ACCEPT
#iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT