Squid muito lento

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 10:22h

Salve galera,
estou com um servidor Proxy 3.4 compilado na unha, sem o mesmo fazer o trabalho de router, ou seja, sem firewall, proxy puro.
Estou tendo relatos de lentidão esporádicas, principalmente em sites https. Segue minha conf:

################################################# AUTENCIACAO ######################################################

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=teste,dc=local" -D squid@teste.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h 192.168.200.200

auth_param basic children 10

auth_param basic realm DIGITE SEU LOGIN E SENHA:

auth_param basic credentialsttl 2 hours

####################################################################################################################





external_acl_type ldap_group ttl=600 children-max=35 ipv4 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b "dc=teste,dc=local" -D squid@teste.local -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Grupos,ou=INTERNET,ou=ESCRITORIO,ou=BH,ou=EMPRESA,dc=teste,dc=local))" -h 192.168.200.200



acl localnet src 192.168.200.0/24

acl to_localnet dst 192.168.200.0/24



acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http



### WINDOWS UPDATE



acl windowsupdate dstdom_regex -n -i "/etc/squid/winupdate.acl"



#################### ACL's AQUI ############################



acl CONNECT method CONNECT

range_offset_limit 500 MB windowsupdate

http_access allow windowsupdate

acl auth proxy_auth REQUIRED

acl one_ip_access max_user_ip -s 2

acl bancos dstdom_regex -n -i "/etc/squid/bancos.acl"

acl almoco time MTWHFAS 12:00-14:00

acl redes_sociais dstdom_regex -n -i "/etc/squid/redes_sociais.acl"

acl g_acesso_total external ldap_group GG_ACESSO_TOTAL

acl g_acesso_padrao external ldap_group GG_ACESSO_PADRAO

acl g_acesso_restrito external ldap_group GG_ACESSO_RESTRITO

acl g_redes_sociais external ldap_group GG_REDES_SOCIAIS



###########################################################



always_direct allow bancos

cache deny bancos

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet to_localnet

http_access allow localhost



###################### REGRAS AQUI ########################



http_access allow g_acesso_total

http_access allow almoco redes_sociais

http_access allow g_redes_sociais

http_access deny redes_sociais

http_access allow g_acesso_padrao



###########################################################



http_access deny !auth

http_access deny one_ip_access

http_access allow auth

http_access deny all



#icp_access allow localnet

#icp_access deny all



###########################################################



dns_nameserver 208.67.222.222 208.67.220.220

cache_mem 1024 MB

maximum_object_size_in_memory 512 KB

maximum_object_size 500 MB

minimum_object_size 0 KB

cache_swap_low 90

cache_swap_high 95

cache_mgr contato@jwit.com.br

cachemgr_passwd none

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

cache_dir aufs /cache/squid/1 2048 16 256

cache_dir aufs /cache/squid/2 2048 16 256

cache_dir aufs /cache/squid/3 2048 16 256

memory_pools off

quick_abort_min 0 KB

quick_abort_max 0 KB

log_icp_queries off

client_db off

buffered_logs on

half_closed_clients off

forward_timeout 15 seconds

connect_timeout 15 seconds

peer_connect_timeout 10 seconds

visible_hostname Proxy

access_log stdio:/var/log/squid/access.log

cache_access_log stdio:/var/log/squid/cache_access.log

coredump_dir /cache/squid

cache_store_log none

logfile_rotate 10

forwarded_for off

error_directory /usr/share/squid/errors/pt-br



http_port 3128



## CACHE WINDOWS UPDATE ##

refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims

refresh_pattern http://www.download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims

refresh_pattern http://www.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims

refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims

refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims

refresh_pattern cache.pack.google.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims

refresh_pattern http://www.update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims

refresh_pattern wwww.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims





## CACHE SKYPE ##

refresh_pattern download.skype.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims



## CACHE CHROME ##

refresh_pattern cache.pack.google.com/.*\.(cab|exe|dll|msi|dmg) 10080 100% 43200 reload-into-ims



## CACHE MIDIA ##

refresh_pattern -i \.(mp3|mp4|m4a|ogg|mov|avi|wmv|flv)$ 10080 90% 999999 ignore-no-cache override-expire ignore-private



hierarchy_stoplist cgi-bin ?

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

Já fiz o teste tirando a autenticação, mas continuando sem ser transparente e os relatos são os mesmos.
Alguma noção do que pode ser?

Valeu!

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 10:27h

Já verifiquei o uso de disco, memória e processador, todos parecem nem estar sendo utilizados. É um ambiente de 7 computadores.

px
(usa Debian)

Enviado em 07/02/2014 - 10:45h

Bom este dns_nameserver geralmente deixa o squid mais lento. Você compilou o squid com suporte a ssl? qual a velocidade das suas placas de rede /10 /100...??

Veja se há algum log no squid na hora deste problema, tanto no acess quando no cache. Quais flags você usou para compilar o squid? pode ter faltado alguma relativa a esta autenticação.

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 11:03h

Tenho o bind instalado também, já usei sem a diretiva dns_nameserves.
Minhas placa é /1000.
Compilado com suporte a SSL.

Parâmetros:

--enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-ipf-transparent \

--enable-async-io \

--enable-icmp \

--enable-useragent-log \

--enable-snmp \

--enable-cache-digests \

--enable-follow-x-forwarded-for \

--with-maxfd=16384 \

--enable-poll \

--disable-ident-lookups \

--enable-truncate \

--exec-prefix=/usr \

--bindir=/usr/sbin \

--prefix=/usr \

--localstatedir=/var \

--srcdir=. \

--includedir=/usr/include \

--datadir=/usr/share/squid \

--libexecdir=/usr/lib/squid \

--sysconfdir=/etc/squid \

--mandir=/usr/share/man \

--with-default-user=squid \

--with-logdir=/var/log/squid \

--with-pidfile=/var/run/squid.pid \

--enable-delay-pools \

--enable-eui \

--enable-snmp \

--enable-err-language="Portuguese" \

--enable-default-err-language="Portuguese" \

--enable-storeio="aufs,diskd,ufs" \

--enable-snmp \

--enable-removal-policies="heap,lru" \

--enable-cache-digests \

--enable-underscores \

--enable-auth-digest="file,LDAP,eDirectory" \

--enable-external-acl-helpers="file_userip,unix_group,wbinfo_group,kerberos_ldap_group,LDAP_group,SQL_session,AD_group,LM_group,session" \

--enable-auth-ntlm="fake,smb_lm,SSPI" \

--enable-auth-negotiate="kerberos,SSPI,wrapper" \

--enable-auth-basic="getpwnam,NCSA,MSNT,PAM,LDAP,RADIUS,fake,DB" \

--enable-auth

 

jptudobem
(usa Debian)

Enviado em 07/02/2014 - 11:08h

Esqueci de dizer, está rodando em um Centos 6.5 x64

px
(usa Debian)

Enviado em 07/02/2014 - 15:25h

Qual a frequência desta lentidão? to achando que é culpa de outro ponto da rede, pois o proxy ao meu ver esta bem configurado e compilado.

px
(usa Debian)

Enviado em 07/02/2014 - 15:34h

Também pode parecer bobeira mas tente mover a "acl CONNECT method CONNECT" e http_access abaixo das portas junto com a liberação ficando assim:

[...]
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports
[...]