Navegaçao as vezes lenta com Squid e Dansguardian

1. Navegaçao as vezes lenta com Squid e Dansguardian

SK5_RJ
(usa Debian)

Enviado em 17/02/2014 - 20:16h

Olá Amigos recentemente eu implementei o Dansguargian e o Squid3(com a ajuda do VOL) na empresa onde eu trabalho e tive resultado bem positivo, porem em alguns momentos a rede da uma parada repentina e volta depois de um tempo.

Dados:
Cerca de 60 micros, link de 120 Mbps
FAst Ethenert ( Chef ainda nao autorizou a compra de Switches gigabits para aproveitarmos 100% do link para navegar) será que da gargalo com a fast Ethernet? algo como paralisar o acesso por instantes...., creio que nao pois utilizávamos anteriormente e nunca ocorreu isto. mas vamos la, abaixo postarei as confs.

Utilizo uma maquina COm 8gb I5 500 HD MOBO GA-B75M-D3h (sei que nao é um server de verdade mas para o que é tem desempenho de sobra).
Bem amigos, onde trabalho é muito corrido e nao tive tempo ainda de vericar logs por log pois tivemos varios acessos indevidos e varios constrangimentos com clientes visualizando(flagrando)pornografia no pc de funcionários entao implementei as pressas, ate entao eu so utilizava o Squid mas adorei as funcionalidades do DG.

Po pessoal alguem ja passou por algo parecido?

DANSGUARDIAN>>>>



#REPORT

reportinglevel = 3



#IDIOMA

languagedir = '/etc/dansguardian/languages'

language = 'ptbrazilian'



#LOGs

loglevel = 3

logexceptionhits = 2

logfileformat = 3



loglocation = '/var/log/dansguardian/access.log'



# Network Settings

filterip = 

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128



nonstandarddelimiter = on



#IMAGENS BLOQUEADAS

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'



# Filter groups options

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'



# Authentication files location

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'



#PALAVRAS - PESO

showweightedfound = on

weightedphrasemode = 2



# Positive (clean) result caching for URLs

urlcachenumber = 1000



# Age before they are stale and should be ignored in seconds

urlcacheage = 900



# Clean cache for content (AV) scan results

scancleancache = on



#Smart, Raw and Meta/Title phrase content filtering options

phrasefiltermode = 2



# Lower casing options / 0 = force lower case (default)

preservecase = 0



# Hex decoding options

hexdecodecontent = off



# Force Quick Search rather than DFA search algorithm

forcequicksearch = off



# Reverse lookups for banned site and URLs.

reverseaddresslookups = off



# Reverse lookups for banned and exception IP lists.

reverseclientiplookups = off



# Perform reverse lookups on client IPs for successful requests.

logclienthostnames = off



# Build bannedsitelist and bannedurllist cache files.

createlistcachefiles = on



# POST protection (web upload and forms)

maxuploadsize = -1



# Max content filter size

maxcontentfiltersize = 256



# Max content ram cache scan size

maxcontentramcachescansize = 2000



# Max content file cache scan size

maxcontentfilecachescansize = 20000



# File cache dir

filecachedir = '/tmp'



# Delete file cache after user completes download

deletedownloadedtempfiles = on



# Initial Trickle delay

initialtrickledelay = 20



# Trickle delay

trickledelay = 10



# Download Managers

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'



# Content scanner timeout

contentscannertimeout = 60



# Content scan exceptions

contentscanexceptions = off



# Auth plugins

authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

authplugin = '/etc/dansguardian/authplugins/ip.conf'



# Re-check replaced URLs

recheckreplacedurls = off



# Misc settings

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on



# Fork pool options

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500



# Sets the maximum number client IP addresses allowed to connect at once.

maxips = 0



# IPC filename

ipcfilename = '/tmp/.dguardianipc'



# URL list IPC filename

urlipcfilename = '/tmp/.dguardianurlipc'



# IP list IPC filename

ipipcfilename = '/tmp/.dguardianipipc'



# PID filename

nodaemon = off



# Disable logging process

nologger = off



# Enable logging of "ADs" category blocks

logadblocks = on



# Enable logging of client User-Agent

loguseragent = off



# Soft restart

softrestart = off

SQUID3



#------------------------------------------------------------------

acl manager proto cache_object

acl redelocal src 192.168.0.0/24

acl localhost src 127.0.0.1/32

#------------------------------------------------------------------

dns-nameservers 8.8.8.8

dns-nameservers 8.8.4.4

acl SSL_ports port 443 # https

acl SSL_ports port 563 # snews

acl SSL_ports port 873 # rsync

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 631 # cups

acl Safe_ports port 873 # rsync

acl Safe_ports port 901 # SWAT

acl Safe_ports port 5000 # VPN

#------------------------------------------------------------------

acl CONNECT method CONNECT

acl purge method PURGE

#update--------------------------

#acl permitido url_regex -i "/etc/squid3/permitido.txt"

#acl restrito url_regex -i "/etc/squid3/restrito.txt"



#------------------------------------------------------------------

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

#------------------------------------------------------------------

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports



#update--------------------



#http_access allow permitido

#http_access deny restrito

#------------------------------------------------------------------

http_access allow redelocal

http_access allow localhost

#------------------------------------------------------------------

http_access deny all

#------------------------------------------------------------------

http_port 3128 intercept

#------------------------------------------------------------------

cache_mem 2000 MB

#------------------------------------------------------------------

maximum_object_size_in_memory 512 KB

#------------------------------------------------------------------

memory_replacement_policy heap GDSF

#------------------------------------------------------------------

cache_replacement_policy heap LFUDA

#------------------------------------------------------------------

cache_dir aufs /var/spool/squid3 40048 16 256

#------------------------------------------------------------------

maximum_object_size 4 GB

minimum_object_size 0 KB



#------------------------------------------------------------------

cache_swap_low 93

cache_swap_high 97

#------------------------------------------------------------------

access_log /var/log/squid3/access.log squid

#------------------------------------------------------------------

cache_store_log none

#------------------------------------------------------------------

mime_table /usr/share/squid3/mime.conf

#------------------------------------------------------------------

cache_log /var/log/squid3/cache.log

#------------------------------------------------------------------

coredump_dir /var/spool/squid3

#------------------------------------------------------------------

refresh_pattern ^ftp:            1440   20%   10080

refresh_pattern ^gopher:         1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?)        0   0%   0

refresh_pattern (Release|Packages(.gz)*)$   0   20%     2880

refresh_pattern .             0   20%   4320

refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 260000 90% 260009 override-expire

refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$ 260000 90% 260009  override-expire

refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 260000 90% 260009 override-expire

refresh_pattern -i \.index.(html|htm)$ 1440 90% 40320

refresh_pattern -i \.(html|htm|css|js)$ 1440 90% 40320



#fazer cache do windows update

refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims

refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims

refresh_pattern msgruser.dlservice.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims 

refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims

refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims

#_______________________

cache_mgr ti_01@canadense.com.br

#_______________________

visible_hostname Debianserver

#_______________________

detect_broken_pconn on

#_______________________

global_internal_static on

#_______________________

error_directory /usr/share/squid3/errors/Portuguese

#_______________________

memory_pools on

memory_pools_limit 32 MB

#_______________________

pipeline_prefetch on

#_______________________

Parte do IPTABLES



#! /bin/bash

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -t nat -F

iptables -t mangle -F

modprobe ip_tables

modprobe iptable_nat

modprobe ipt_string



echo "1" > /proc/sys/net/ipv4/ip_forward

#iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP

#iptables -I OUTPUT -m string --algo bm --string "facebook.com" -j DROP

#iptables -I FORWARD -m string --algo bm --string "login.live.com" -j DROP

#iptables -I OUTPUT -m string --algo bm --string "login.live.com" -j DROP

#iptables -I FORWARD -m string --algo bm --string "twitter.com" -j DROP

#iptables -I OUTPUT -m string --algo bm --string "twitter.com" -j DROP



iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 8080

#iptables -A INPUT -p tcp --dport 3128 -i eth2 -j ACCEPT #Proxy

#iptables -A INPUT -p tcp --dport 80 -i eth2 -j ACCEPT #HTTP

#iptables -A INPUT -p tcp --dport 21 -i eth2 -j ACCEPT #FTP

#iptables -A INPUT -p tcp --dport 53 -i eth2 -j ACCEPT #DNS

#iptables -A INPUT -p udp --dport 53 -i eth2 -j ACCEPT #DNS

#iptables -A INPUT -p tcp --dport 25 -i eth2 -j ACCEPT #SMTP

#iptables -A INPUT -p tcp --dport 110 -i eth2 -j ACCEPT #SSL

#iptables -A INPUT -p udp --dport 110 -i eth2 -j ACCEPT #SSL

#iptables -A INPUT -p tcp --dport 80 -i eth2 -j ACCEPT #SSL

##iptables -A INPUT -p udp --dport 80 -i eth2 -j ACCEPT #SSL

#iptables -A INPUT -p tcp --dport 443 -i eth2 -j ACCEPT #SSL

#iptables -A INPUT -p udp --dport 443 -i eth2 -j ACCEPT #SSL



#(tentativa de corrigir o Dansguardian)  iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 3128 -j REDIRECT --to-ports 8080





#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128



#iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 3128 -j REDIRECT --to-ports 8080



iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT



#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

iptables -A INPUT -p tcp --dport 4363 -j ACCEPT

 

iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT

iptables -A INPUT -d 192.168.0.0/24 -j ACCEPT

 



#iptables -t filter -A FORWARD -p tcp --dport 8443 -j ACCEPT

#iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT