Squid muito lento

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 10:22h

Salve galera,
estou com um servidor Proxy 3.4 compilado na unha, sem o mesmo fazer o trabalho de router, ou seja, sem firewall, proxy puro.
Estou tendo relatos de lentidão esporádicas, principalmente em sites https. Segue minha conf:

################################################# AUTENCIACAO ######################################################
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=teste,dc=local" -D squid@teste.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h 192.168.200.200
auth_param basic children 10
auth_param basic realm DIGITE SEU LOGIN E SENHA:
auth_param basic credentialsttl 2 hours
####################################################################################################################


external_acl_type ldap_group ttl=600 children-max=35 ipv4 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b "dc=teste,dc=local" -D squid@teste.local -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Grupos,ou=INTERNET,ou=ESCRITORIO,ou=BH,ou=EMPRESA,dc=teste,dc=local))" -h 192.168.200.200

acl localnet src 192.168.200.0/24
acl to_localnet dst 192.168.200.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

### WINDOWS UPDATE

acl windowsupdate dstdom_regex -n -i "/etc/squid/winupdate.acl"

#################### ACL's AQUI ############################

acl CONNECT method CONNECT
range_offset_limit 500 MB windowsupdate
http_access allow windowsupdate
acl auth proxy_auth REQUIRED
acl one_ip_access max_user_ip -s 2
acl bancos dstdom_regex -n -i "/etc/squid/bancos.acl"
acl almoco time MTWHFAS 12:00-14:00
acl redes_sociais dstdom_regex -n -i "/etc/squid/redes_sociais.acl"
acl g_acesso_total external ldap_group GG_ACESSO_TOTAL
acl g_acesso_padrao external ldap_group GG_ACESSO_PADRAO
acl g_acesso_restrito external ldap_group GG_ACESSO_RESTRITO
acl g_redes_sociais external ldap_group GG_REDES_SOCIAIS

###########################################################

always_direct allow bancos
cache deny bancos
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet to_localnet
http_access allow localhost

###################### REGRAS AQUI ########################

http_access allow g_acesso_total
http_access allow almoco redes_sociais
http_access allow g_redes_sociais
http_access deny redes_sociais
http_access allow g_acesso_padrao

###########################################################

http_access deny !auth
http_access deny one_ip_access
http_access allow auth
http_access deny all

#icp_access allow localnet
#icp_access deny all

###########################################################

dns_nameserver 208.67.222.222 208.67.220.220
cache_mem 1024 MB
maximum_object_size_in_memory 512 KB
maximum_object_size 500 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_mgr contato@jwit.com.br
cachemgr_passwd none
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /cache/squid/1 2048 16 256
cache_dir aufs /cache/squid/2 2048 16 256
cache_dir aufs /cache/squid/3 2048 16 256
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
forward_timeout 15 seconds
connect_timeout 15 seconds
peer_connect_timeout 10 seconds
visible_hostname Proxy
access_log stdio:/var/log/squid/access.log
cache_access_log stdio:/var/log/squid/cache_access.log
coredump_dir /cache/squid
cache_store_log none
logfile_rotate 10
forwarded_for off
error_directory /usr/share/squid/errors/pt-br

http_port 3128

## CACHE WINDOWS UPDATE ##
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern http://www.download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern http://www.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern cache.pack.google.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern http://www.update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern wwww.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims


## CACHE SKYPE ##
refresh_pattern download.skype.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

## CACHE CHROME ##
refresh_pattern cache.pack.google.com/.*\.(cab|exe|dll|msi|dmg) 10080 100% 43200 reload-into-ims

## CACHE MIDIA ##
refresh_pattern -i \.(mp3|mp4|m4a|ogg|mov|avi|wmv|flv)$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
 

Já fiz o teste tirando a autenticação, mas continuando sem ser transparente e os relatos são os mesmos.
Alguma noção do que pode ser?

Valeu!

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 10:27h

Já verifiquei o uso de disco, memória e processador, todos parecem nem estar sendo utilizados. É um ambiente de 7 computadores.

px
(usa Debian)

Enviado em 07/02/2014 - 10:45h

Bom este dns_nameserver geralmente deixa o squid mais lento. Você compilou o squid com suporte a ssl? qual a velocidade das suas placas de rede /10 /100...??

Veja se há algum log no squid na hora deste problema, tanto no acess quando no cache. Quais flags você usou para compilar o squid? pode ter faltado alguma relativa a esta autenticação.

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 11:03h

Tenho o bind instalado também, já usei sem a diretiva dns_nameserves.
Minhas placa é /1000.
Compilado com suporte a SSL.

Parâmetros:

--enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-ipf-transparent \
--enable-async-io \
--enable-icmp \
--enable-useragent-log \
--enable-snmp \
--enable-cache-digests \
--enable-follow-x-forwarded-for \
--with-maxfd=16384 \
--enable-poll \
--disable-ident-lookups \
--enable-truncate \
--exec-prefix=/usr \
--bindir=/usr/sbin \
--prefix=/usr \
--localstatedir=/var \
--srcdir=. \
--includedir=/usr/include \
--datadir=/usr/share/squid \
--libexecdir=/usr/lib/squid \
--sysconfdir=/etc/squid \
--mandir=/usr/share/man \
--with-default-user=squid \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--enable-delay-pools \
--enable-eui \
--enable-snmp \
--enable-err-language="Portuguese" \
--enable-default-err-language="Portuguese" \
--enable-storeio="aufs,diskd,ufs" \
--enable-snmp \
--enable-removal-policies="heap,lru" \
--enable-cache-digests \
--enable-underscores \
--enable-auth-digest="file,LDAP,eDirectory" \
--enable-external-acl-helpers="file_userip,unix_group,wbinfo_group,kerberos_ldap_group,LDAP_group,SQL_session,AD_group,LM_group,session" \
--enable-auth-ntlm="fake,smb_lm,SSPI" \
--enable-auth-negotiate="kerberos,SSPI,wrapper" \
--enable-auth-basic="getpwnam,NCSA,MSNT,PAM,LDAP,RADIUS,fake,DB" \
--enable-auth
 

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 11:08h

Esqueci de dizer, está rodando em um Centos 6.5 x64

px
(usa Debian)

Enviado em 07/02/2014 - 15:25h

Qual a frequência desta lentidão? to achando que é culpa de outro ponto da rede, pois o proxy ao meu ver esta bem configurado e compilado.

px
(usa Debian)

Enviado em 07/02/2014 - 15:34h

Também pode parecer bobeira mas tente mover a "acl CONNECT method CONNECT" e http_access abaixo das portas junto com a liberação ficando assim:

[...]
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports
[...]