[squid-users] Internet Browsing very slow after implementing Squid peek & splice + Access log not tracing full URL
Sagar Malve
sagarmalve91 at gmail.com
Thu May 19 11:08:19 UTC 2016
Hi Team,
I have done some modification as per thread and temporary removed Refresh
pattern and have kept the Default refresh pattern ...
This is how my Configuration looks like .....
# -------------------------------------
# Access Control Lists
# -------------------------------------
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 8443 # Telecom exclusion
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Common methods
acl CONNECT method CONNECT
acl PURGE method PURGE
acl GET method GET
# Windows update acls
acl windowsupdate dstdomain sls.update.microsoft.com.akadns.net
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
# Windows update methods
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
# SSL bump acl
acl net_bump src "/etc/squid/net.bump"
# TLD acl
acl block_tld url_regex "/etc/squid/dstdom.tld"
# -------------------------------------
# Access parameters
# -------------------------------------
# Deny requests to unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
# Allow purge from localhost
http_access allow PURGE localhost
http_access deny PURGE
# Block top level domains
http_access deny block_tld
deny_info TCP_RESET block_tld
# Rule allowing access from local networks
http_access allow localnet
http_access allow localhost
# ICP/HTCP access
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
# 302 loop
acl text_mime rep_mime_type text/html text/plain
acl http302 http_status 302
store_miss deny text_mime http302
send_hit deny text_mime http302
# Windows updates rules
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
# ICQ/MRA must splice first
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
ssl_bump splice NoSSLIntercept
ssl_bump bump net_bump
acl tls_s1_connect at_step SslBump1
acl tls_s3_server_hello at_step SslBump3
# TLS/SSL bumping steps
ssl_bump peek tls_s1_connect # peek at the incoming TLS/SSL
connect data
ssl_bump splice all # splice the stream:
pass-through mode
# And finally deny all other access to this proxy
http_access deny all
# -------------------------------------
# HTTP parameters
# -------------------------------------
# dhparams is before squid-3.5.12-20151222-r13967
# tls-dh is AFTER squid-3.5.12-20151222-r13967
http_port 3127
http_port 3128 intercept
# dhparams is before squid-3.5.12-20151222-r13967
# tls-dh is AFTER squid-3.5.12-20151222-r13967
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
key=/etc/squid/ssl_certs/squid.key options=NO_SSLv3
tls-dh=/etc/squid/dhparam.pem
sslproxy_capath /etc/ssl/certs
# SINGLE_DH_USE is 3.5 before squid-3.5.12-20151222-r13967
#sslproxy_options NO_SSLv3,SINGLE_DH_USE
# SINGLE_ECDH_USE is AFTER squid-3.5.12-20151222-r13967
sslproxy_options NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
# Cache manager
cache_mgr mymail at gmail.com
# Forces reload-into-ims
reload_into_ims on
# Hide internal networks details outside
via off
forwarded_for delete
# Do not show Squid version
httpd_suppress_version_string on
# Prioritization of local hits
qos_flows tos local-hit=0x68
# Specify local DNS cache
dns_nameservers 8.8.8.8
dns_v4_first on
ipcache_size 4096
# -------------------------------------
# Memory parameters
# -------------------------------------
cache_mem 512 Mb
#memory_pools off
maximum_object_size_in_memory 1 MB
# -------------------------------------
# Tuning parameters
# -------------------------------------
memory_replacement_policy heap LRU
cache_replacement_policy heap LFUDA
store_avg_object_size 85 KB
# Default is 20
store_objects_per_bucket 32
# Shutdown delay before terminate connections
shutdown_lifetime 15 second
# SMP
#workers 2
# -------------------------------------
# Store parameters
# -------------------------------------
maximum_object_size 8 Gb
cache_dir aufs /usr/local/cache 250000 16 256
# -------------------------------------
# Process/log parameters
# -------------------------------------
#logformat my_squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log buffer-size=256KB
# Don't log ICP queries
log_icp_queries off
# Turn off internal log rotation
logfile_rotate 0
cache_log /var/log/squid/cache.log
cache_store_log none
# Default is off
buffered_logs on
coredump_dir /var/core
pid_filename /tmp/squid.pid
strip_query_terms off
# -------------------------------------
# Content parameters
# -------------------------------------
range_offset_limit none all
# Default patterns
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 reload-into-ims
-------------Config End ---------------
------------net.bump File -------------------
google.com
youtube.com
reddit.com
-------------------------------
------------dstdom.tld file --------------
yahoo.com
facebook.com
---------------------------------------
--------------- Url.nobump--------
axisbank.com
hdfcbank.com
------------------------------------------
Now issue is that I need to block yahoo and facebook but I am able to
access the facebook website and yahoo is getting blocked ....
And also all Google website like google, gmail, youtube are working very
slow it takes lots of time to load this websites but other Https websites
like axisbank / hdfc etc are working properly ....
Also somtime website does not work with Chrome browser like Gmail but same
is working in Mozilla Firefox but take time to load ......
On Wed, May 18, 2016 at 8:07 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 05/18/2016 05:05 AM, Sagar Malve wrote:
>
> > when we pass the Network through Squid the
> > Internet work very slow
>
>
> In addition to other comments on this thread, please note that,
> according to my _ballpark_ estimates, Squid "ssl_bump bump" performance
> is about 10% of regular plain traffic forwarding performance and
> "ssl_bump splice step2" performance is about 30%.
>
> FWIW, we are working on significantly improving the latter:
>
> http://lists.squid-cache.org/pipermail/squid-dev/2016-May/005659.html
> http://lists.squid-cache.org/pipermail/squid-dev/2016-May/005660.html
>
>
> HTH,
>
> Alex.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160519/c24fde19/attachment-0001.html>
More information about the squid-users
mailing list