Squid 3 Muito Lento
1. Squid 3 Muito Lento
aor.poa
(usa CentOS)
Enviado em 19/09/2014 - 14:23h
Boa tarde Pessoal,Sei que tem vários posts em fóruns inclusive aqui, mas nenhum consegui resolver meu problema sozinho por isso vim pedir ajuda.
Eu trabalhei um tempo com o CentOS 5 e Squid 2.7 transparente, nunca tive problema com o Squid até então.
Atualizei o meu servidor para o CentOS 6.5 com o Squid 3.1.10 (configurado de forma transparente).
É uma lentidão sem tamanho... tenho uma internet da GVT de 100MB.
Com o Squid rodando levo 2 minutos para abrir o terra quando não dá erro.
Com o Squid parado (mudando apenas a regra do firewall) ele abre na hora.
E isso não é só o site do Terra é em todos mas vou usar só este como exemplo.
Gostaria de uma ajuda para ver se tem como melhorar a performance do Squid 3.1.10 transparente no CentOS 6.5 porque do jeito que está não tem como continuar trabalhando, tanto que ele esta desativado.
Eu já limpei o cache refiz o cache mudei muita coisa no squid.conf e nada adiantou.
Este Servidor é usado somente Squid, Firewall e DHCP
Abaixo segue configuração do Servidor Squid.conf e Firewall
Configuração do Servidor:
2 Processadores Intel Xeon CPU E5310 1.60GHz com 4 Núcleo cada Totalizando 8 Núcleos com 4mb de cache cada
16gb de memória
4hd scsi de 73GB cada em RAID 0 (zero) Velocidade de cada disco 15K
----------------------------------------------------------------------------------------
Squid.conf
#########################
# Incio de configuracao #
#########################
http_port 3128 transparent
error_directory /usr/share/squid/errors/pt-br
cache_mem 532 MB
cache_dir aufs /var/spool/squid 16000 16 256
maximum_object_size_in_memory 64 KB
maximum_object_size 30000 KB
client_netmask 255.255.255.255
dns_nameservers 200.175.89.139 200.175.182.139 #DNS da GVT
############################################
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
coredump_dir /var/spool/squid
############################################
memory_pools off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
############################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl redelocal src 192.168.10.0/24
acl SSL_ports port 443
acl Safe_ports port 21 80 8080
acl CONNECT method CONNECT
############################################
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
############################################
acl negapalavra2 url_regex -i "/etc/squid/negapalavra.txt"
#acl LimiteBanda url_regex -i "/etc/squid/LimiteBanda.txt"
acl LiberaIp src "/etc/squid/LiberaIp.txt"
acl BloqueiaIncra src "/etc/squid/BloqueiaIncra.txt"
acl LiberaBanda src "/etc/squid/LiberaBanda.txt"
acl LiberaSite url_regex -i "/etc/squid/LiberaSite.txt"
#cl LiberaIcra url_regex -i "/etc/squid/LiberaIcra.txt"
acl LiberaAtualizacao url_regex -i "/etc/squid/LiberaAtualizacao.txt"
acl SiteRelacionamento url_regex -i "/etc/squid/SiteRelacionamento.txt"
acl hora1 time 12:00-13:00
#acl manha time MTWHF 08:00-11:45
#acl tarde time MTWHF 13:15-17:30
############# Velocidade medida em Byte ( Ex 300 kiloByte ( kb ) = 307200 Byte) #############
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow LiberaBanda
delay_class 2 1
#delay_parameters 2 10240/10240 #### 100 K
#delay_parameters 2 51200/51200 #### 500 K
#delay_parameters 2 102400/102400 #### 1 Mega
#delay_parameters 2 512000/512000 ### 5 Mega
#delay_parameters 2 1024000/1024000 ### 10 Mega
delay_parameters 2 5120000/5120000 ### 50 Mega
http_access allow LiberaAtualizacao
http_access allow LiberaIp
#http_access allow LiberaIcra
http_access deny BloqueiaIncra
http_access allow hora1 SiteRelacionamento
http_access allow LiberaSite
http_access deny negapalavra2
http_access allow redelocal
#http_access deny all
############################################
cache_mgr Server Squid
mail_program mail
cache_effective_user squid
cache_effective_group squid
httpd_suppress_version_string off
visible_hostname webmaster
----------------------------------------------------------------------------------------
Firewall:
#!/bin/bash
# Exclui todas as regras
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
iptables -F
iptables -t nat -F
# Exclui cadeias customizadas
iptables -X
# Zera os contadores das cadeias
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -Z
# Limpando tabelas
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
# Define a polotica padrao do firewall
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Carregando modulos
modprobe ip_tables
modprobe ip_gre
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_pptp
modprobe ip_conntrack_pptp
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
# Protecao contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Descarte de pacotes nao-identificado ICMP (ping)
iptables -A INPUT -m state -p icmp --state INVALID -j DROP
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
iptables -A FORWARD -m state -p icmp --state INVALID -j DROP
# Contra Pings da morte (Aceita Ping acada 1 segundo)
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# ATAQUE SMURF
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP
iptables -A FORWARD -p icmp --icmp-type 8 -j DROP
# Contra DoS:
iptables -A INPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
iptables -A OUTPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Contra Port Scanners:
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Protecao contra IP spoofing
iptables -A INPUT -i eht0 -s 192.168.10.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 192.168.10.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 127.0.0.0/24 -j DROP
# Libera o INPUT para a interface loopback, ou seja, a propria maquina
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -p tcp -s 127.0.0.1 -j ACCEPT
# Compartilha Internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#########################################
# LIBERANDO SAMBA PARA A REDE #
#########################################
#Liberando o Samba para a rede 192.168.10.0/24
iptables -A INPUT -p tcp -i eth1 -s 192.168.10.0/24 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 -s 192.168.10.0/24 --dport 445 -j ACCEPT
iptables -A INPUT -p udp -i eth1 -s 192.168.10.0/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -i eth1 -s 192.168.10.0/24 --dport 138 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.10.0/24 --dport 139 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.10.0/24 --dport 445 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.10.0/24 --dport 137 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.10.0/24 --dport 138 -j ACCEPT
#Bloqueando Samba para o restantes dos ips
iptables -A INPUT -p tcp -s 0/0 --dport 139 -j DROP
iptables -A INPUT -p tcp -s 0/0 --dport 445 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 --dport 139 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 --dport 445 -j DROP
iptables -A OUTPUT -p udp -s 0/0 --dport 137 -j DROP
iptables -A OUTPUT -p udp -s 0/0 --dport 138 -j DROP
#########################################
# LIBERANDO DHCP PARA A REDE #
#########################################
#Liberando o DCHP para a rede interna
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 67 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.10.0/24 --dport 67 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.10.0/24 --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.10.0/24 --dport 67 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 67 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.10.0/24 --dport 67 -j ACCEPT
#Bloqueado para as demais
iptables -A INPUT -p tcp -s 0/0 --dport 67 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 67 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 --dport 67 -j DROP
iptables -A OUTPUT -p udp -s 0/0 --dport 67 -j DROP
iptables -A FORWARD -p tcp -s 0/0 --dport 67 -j DROP
iptables -A FORWARD -p udp -s 0/0 --dport 67 -j DROP
#########################
# INPUT #
#########################
#Liberando portas de entrada TCP
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT #DNS
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT #HTTP
iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT #HTTPS
#Liberando Portas de entrada UDP
iptables -A INPUT -p udp --destination-port 53 -j ACCEPT #DNS
# Permissao para conexoes pre estabelecidas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################
# INPUT -FIM- #
#########################
#########################
# OUTPUT #
#########################
#Liberando portas de saida TCP
iptables -A OUTPUT -p tcp --destination-port 22 -j ACCEPT #SSH GERAL
iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT #HTTP
iptables -A OUTPUT -p tcp --destination-port 443 -j ACCEPT #HTTPS
#Liberando Portas de saida UDP
iptables -A OUTPUT -p udp --destination-port 53 -j ACCEPT #DNS
# Permissao para conexoes pre estabelecidas
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################
# OUTPUT -FIM- #
#########################
#########################
# FORWARD #
#########################
iptables -A FORWARD -p tcp --destination-port 53 -j ACCEPT #DNS
iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT #HTTP
iptables -A FORWARD -p tcp --destination-port 110 -j ACCEPT #POP3
iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT #HTTPS
iptables -A FORWARD -p tcp --destination-port 587 -j ACCEPT #SMTP SUBMISSION
iptables -A FORWARD -p tcp --destination-port 1863 -j ACCEPT #PORTA DO MSN
iptables -A FORWARD -p tcp --destination-port 2222 -j ACCEPT #PORTA DO MSN
iptables -A FORWARD -p tcp -d 192.168.10.0/24 --destination-port 3128 -j ACCEPT #PORTA DO SQUID
#Liberando portas de saida udp dos computadores da rede
iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT #DNS
iptables -A FORWARD -p udp --destination-port 587 -j ACCEPT #SMTP SUBMISSION
# Permissao para conexoes pre estabelecidas
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################
# FORWARD -FIM- #
#########################
#################
# NAT #
#################
#NAT TCP
#Proxy Transparente
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#########################
# NAT -FIM- #
#########################
iptables -A INPUT -p tcp --syn -j DROP
iptables -A OUTPUT -p tcp --syn -j DROP
iptables -A FORWARD -p tcp --syn -j DROP
Fico Grato pela ajuda.
Att
Alexandre Rodrigues