4. Dificuldade Configuração SQUID

Dificuldade Configuração SQUID

  • Z

    Amigos, preciso de ajuda para configurar parâmetros do squid/squidguard. Não tenho experiência com ele, porém foi necessário implantação de última hora do squid devido problemas administrativos. Instalado o Pfsense 2.4.0 + squid + squidguard (não está sendo usado como firewall, apenas funcionalidade proxy). Instalado em uma VM (ambiente vmware + storage IBM v7000) com 64GB RAM, 4 CPU, 80GB de disco (instalação default). O proxy atende a quase 100 localidades diferentes espalhadas pelo Estado, ele tem um link de 1GB para atender mais ou menos 1200 usuários simultâneos conectados a internet. Monitorando, os recursos estão sendo subutilizados: CPU 40%, memo 30%, traffic graph wan (in) + wan (out) = 120Mb. Os usuários estão tendo problemas para acesso a internet: lentidão, timeout, perda de sessão, etc. Já alterei diversas vezes a configuração Local Cache e não cheguei a um consenso, fiz uma alteração também após consulta em foruns na linha "url_rewrite_children 256", alterando o valor default de 16 para 256, isso deu uma melhorada. Alguém teria uma sugestão de configuração? Fiz esta configuração abaixo hoje que vou testar na próxima segunda dia 6/11/17 retornada com o comando squid -k parse. Obrigado desde já.

    2017/11/04 09:47:11| Startup: Initializing Authentication Schemes …
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'basic'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'digest'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'negotiate'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'ntlm'
    2017/11/04 09:47:11| Startup: Initialized Authentication.
    2017/11/04 09:47:11| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
    2017/11/04 09:47:11| Processing: http_port XXXXXXXXXXXXXXX ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
    2017/11/04 09:47:11| Starting Authentication on port 127.0.0.1:8080
    2017/11/04 09:47:11| Disabling Authentication on port 127.0.0.1:8080 (interception enabled)
    2017/11/04 09:47:11| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
    2017/11/04 09:47:11| Starting Authentication on port 127.0.0.1:3129
    2017/11/04 09:47:11| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
    2017/11/04 09:47:11| Processing: icp_port 0
    2017/11/04 09:47:11| Processing: digest_generation off
    2017/11/04 09:47:11| Processing: dns_v4_first off
    2017/11/04 09:47:11| Processing: pid_filename /var/run/squid/squid.pid
    2017/11/04 09:47:11| Processing: cache_effective_user squid
    2017/11/04 09:47:11| Processing: cache_effective_group proxy
    2017/11/04 09:47:11| Processing: error_default_language pt-br
    2017/11/04 09:47:11| Processing: icon_directory /usr/local/etc/squid/icons
    2017/11/04 09:47:11| Processing: visible_hostname localhost
    2017/11/04 09:47:11| Processing: cache_mgr admin@localhost
    2017/11/04 09:47:11| Processing: access_log /var/squid/logs/access.log
    2017/11/04 09:47:11| Processing: cache_log /var/squid/logs/cache.log
    2017/11/04 09:47:11| Processing: cache_store_log none
    2017/11/04 09:47:11| Processing: netdb_filename /var/squid/logs/netdb.state
    2017/11/04 09:47:11| Processing: pinger_enable on
    2017/11/04 09:47:11| Processing: pinger_program /usr/local/libexec/squid/pinger
    2017/11/04 09:47:11| Processing: sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    2017/11/04 09:47:11| Processing: sslcrtd_children 5
    2017/11/04 09:47:11| Processing: sslproxy_capath /usr/local/share/certs/
    2017/11/04 09:47:11| Processing: sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2017/11/04 09:47:11| Processing: sslproxy_cert_error allow all
    2017/11/04 09:47:11| Processing: sslproxy_cert_adapt setValidBefore all
    2017/11/04 09:47:11| Processing: logfile_rotate 7
    2017/11/04 09:47:11| Processing: debug_options rotate=7
    2017/11/04 09:47:11| Processing: shutdown_lifetime 3 seconds
    2017/11/04 09:47:11| Processing: acl localnet src  200.198.3.0/24
    2017/11/04 09:47:11| Processing: forwarded_for on
    2017/11/04 09:47:11| Processing: uri_whitespace strip
    2017/11/04 09:47:11| Processing: acl dynamic urlpath_regex cgi-bin ?
    2017/11/04 09:47:11| Processing: cache deny dynamic
    2017/11/04 09:47:11| Processing: cache_mem 32768 MB
    2017/11/04 09:47:11| Processing: maximum_object_size_in_memory 5120 KB
    2017/11/04 09:47:11| Processing: memory_replacement_policy heap GDSF
    2017/11/04 09:47:11| Processing: cache_replacement_policy heap LFUDA
    2017/11/04 09:47:11| Processing: minimum_object_size 1 KB
    2017/11/04 09:47:11| Processing: maximum_object_size 300 MB
    2017/11/04 09:47:11| Processing: cache_dir ufs /var/squid/cache 51200 256 256
    2017/11/04 09:47:11| Processing: offline_mode off
    2017/11/04 09:47:11| Processing: cache_swap_low 90
    2017/11/04 09:47:11| Processing: cache_swap_high 95
    2017/11/04 09:47:11| Processing: cache allow all
    2017/11/04 09:47:11| Processing: refresh_pattern ^ftp:    1440  20%  10080
    2017/11/04 09:47:11| Processing: refresh_pattern ^gopher:  1440  0%  1440
    2017/11/04 09:47:11| Processing: refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    2017/11/04 09:47:11| Processing: refresh_pattern .    0  20%  4320
    2017/11/04 09:47:11| Processing: acl allsrc src all
    2017/11/04 09:47:11| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  8080 3129 1025-65535
    2017/11/04 09:47:11| Processing: acl sslports port 443 563
    2017/11/04 09:47:11| Processing: acl purge method PURGE
    2017/11/04 09:47:11| Processing: acl connect method CONNECT
    2017/11/04 09:47:11| Processing: acl HTTP proto HTTP
    2017/11/04 09:47:11| Processing: acl HTTPS proto HTTPS
    2017/11/04 09:47:11| Processing: acl step1 at_step SslBump1
    2017/11/04 09:47:11| Processing: acl step2 at_step SslBump2
    2017/11/04 09:47:11| Processing: acl step3 at_step SslBump3
    2017/11/04 09:47:11| Processing: acl allowed_subnets src 10.0.0.0/8 192.168.68.0/24 192.168.65.0/24 172.27.58.0/24
    2017/11/04 09:47:11| Processing: acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    2017/11/04 09:47:11| Processing: http_access allow manager localhost
    2017/11/04 09:47:11| Processing: http_access deny manager
    2017/11/04 09:47:11| Processing: http_access allow purge localhost
    2017/11/04 09:47:11| Processing: http_access deny purge
    2017/11/04 09:47:11| Processing: http_access deny !safeports
    2017/11/04 09:47:11| Processing: http_access deny CONNECT !sslports
    2017/11/04 09:47:11| Processing: http_access allow localhost
    2017/11/04 09:47:11| Processing: request_body_max_size 0 KB
    2017/11/04 09:47:11| Processing: delay_pools 1
    2017/11/04 09:47:11| Processing: delay_class 1 2
    2017/11/04 09:47:11| Processing: delay_parameters 1 -1/-1 -1/-1
    2017/11/04 09:47:11| Processing: delay_initial_bucket_level 100
    2017/11/04 09:47:11| Processing: delay_access 1 deny unrestricted_hosts
    2017/11/04 09:47:11| Processing: delay_access 1 allow allsrc
    2017/11/04 09:47:11| Processing: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    2017/11/04 09:47:11| Processing: url_rewrite_bypass off
    2017/11/04 09:47:11| Processing: url_rewrite_children 256 startup=8 idle=4 concurrency=0
    2017/11/04 09:47:11| Processing: http_access allow unrestricted_hosts
    2017/11/04 09:47:11| Processing: ssl_bump peek step1
    2017/11/04 09:47:11| Processing: ssl_bump splice all
    2017/11/04 09:47:11| Processing: http_access allow allowed_subnets
    2017/11/04 09:47:11| Processing: http_access allow localnet
    2017/11/04 09:47:11| Processing: http_access deny allsrc
    2017/11/04 09:47:11| Initializing https proxy context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem
    2017/11/04 09:47:11| Initializing http_port 127.0.0.1:8080 SSL context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem
    2017/11/04 09:47:11| Initializing https_port 127.0.0.1:3129 SSL context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem

    0
  • Z

    Amigos, preciso de ajuda para configurar parâmetros do squid/squidguard. Não tenho experiência com ele, porém foi necessário implantação de última hora do squid devido problemas administrativos. Instalado o Pfsense 2.4.0 + squid + squidguard (não está sendo usado como firewall, apenas funcionalidade proxy). Instalado em uma VM (ambiente vmware + storage IBM v7000) com 64GB RAM, 4 CPU, 80GB de disco (instalação default). O proxy atende a quase 100 localidades diferentes espalhadas pelo Estado, ele tem um link de 1GB para atender mais ou menos 1200 usuários simultâneos conectados a internet. Monitorando, os recursos estão sendo subutilizados: CPU 40%, memo 30%, traffic graph wan (in) + wan (out) = 120Mb. Os usuários estão tendo problemas para acesso a internet: lentidão, timeout, perda de sessão, etc. Já alterei diversas vezes a configuração Local Cache e não cheguei a um consenso, fiz uma alteração também após consulta em foruns na linha "url_rewrite_children 256", alterando o valor default de 16 para 256, isso deu uma melhorada. Alguém teria uma sugestão de configuração? Fiz esta configuração abaixo hoje que vou testar na próxima segunda dia 6/11/17 retornada com o comando squid -k parse. Obrigado desde já.

    2017/11/04 09:47:11| Startup: Initializing Authentication Schemes …
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'basic'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'digest'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'negotiate'
    2017/11/04 09:47:11| Startup: Initialized Authentication Scheme 'ntlm'
    2017/11/04 09:47:11| Startup: Initialized Authentication.
    2017/11/04 09:47:11| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
    2017/11/04 09:47:11| Processing: http_port XXXXXXXXXXXXXXX ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
    2017/11/04 09:47:11| Starting Authentication on port 127.0.0.1:8080
    2017/11/04 09:47:11| Disabling Authentication on port 127.0.0.1:8080 (interception enabled)
    2017/11/04 09:47:11| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
    2017/11/04 09:47:11| Starting Authentication on port 127.0.0.1:3129
    2017/11/04 09:47:11| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
    2017/11/04 09:47:11| Processing: icp_port 0
    2017/11/04 09:47:11| Processing: digest_generation off
    2017/11/04 09:47:11| Processing: dns_v4_first off
    2017/11/04 09:47:11| Processing: pid_filename /var/run/squid/squid.pid
    2017/11/04 09:47:11| Processing: cache_effective_user squid
    2017/11/04 09:47:11| Processing: cache_effective_group proxy
    2017/11/04 09:47:11| Processing: error_default_language pt-br
    2017/11/04 09:47:11| Processing: icon_directory /usr/local/etc/squid/icons
    2017/11/04 09:47:11| Processing: visible_hostname localhost
    2017/11/04 09:47:11| Processing: cache_mgr admin@localhost
    2017/11/04 09:47:11| Processing: access_log /var/squid/logs/access.log
    2017/11/04 09:47:11| Processing: cache_log /var/squid/logs/cache.log
    2017/11/04 09:47:11| Processing: cache_store_log none
    2017/11/04 09:47:11| Processing: netdb_filename /var/squid/logs/netdb.state
    2017/11/04 09:47:11| Processing: pinger_enable on
    2017/11/04 09:47:11| Processing: pinger_program /usr/local/libexec/squid/pinger
    2017/11/04 09:47:11| Processing: sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    2017/11/04 09:47:11| Processing: sslcrtd_children 5
    2017/11/04 09:47:11| Processing: sslproxy_capath /usr/local/share/certs/
    2017/11/04 09:47:11| Processing: sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2017/11/04 09:47:11| Processing: sslproxy_cert_error allow all
    2017/11/04 09:47:11| Processing: sslproxy_cert_adapt setValidBefore all
    2017/11/04 09:47:11| Processing: logfile_rotate 7
    2017/11/04 09:47:11| Processing: debug_options rotate=7
    2017/11/04 09:47:11| Processing: shutdown_lifetime 3 seconds
    2017/11/04 09:47:11| Processing: acl localnet src  200.198.3.0/24
    2017/11/04 09:47:11| Processing: forwarded_for on
    2017/11/04 09:47:11| Processing: uri_whitespace strip
    2017/11/04 09:47:11| Processing: acl dynamic urlpath_regex cgi-bin ?
    2017/11/04 09:47:11| Processing: cache deny dynamic
    2017/11/04 09:47:11| Processing: cache_mem 32768 MB
    2017/11/04 09:47:11| Processing: maximum_object_size_in_memory 5120 KB
    2017/11/04 09:47:11| Processing: memory_replacement_policy heap GDSF
    2017/11/04 09:47:11| Processing: cache_replacement_policy heap LFUDA
    2017/11/04 09:47:11| Processing: minimum_object_size 1 KB
    2017/11/04 09:47:11| Processing: maximum_object_size 300 MB
    2017/11/04 09:47:11| Processing: cache_dir ufs /var/squid/cache 51200 256 256
    2017/11/04 09:47:11| Processing: offline_mode off
    2017/11/04 09:47:11| Processing: cache_swap_low 90
    2017/11/04 09:47:11| Processing: cache_swap_high 95
    2017/11/04 09:47:11| Processing: cache allow all
    2017/11/04 09:47:11| Processing: refresh_pattern ^ftp:    1440  20%  10080
    2017/11/04 09:47:11| Processing: refresh_pattern ^gopher:  1440  0%  1440
    2017/11/04 09:47:11| Processing: refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    2017/11/04 09:47:11| Processing: refresh_pattern .    0  20%  4320
    2017/11/04 09:47:11| Processing: acl allsrc src all
    2017/11/04 09:47:11| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  8080 3129 1025-65535
    2017/11/04 09:47:11| Processing: acl sslports port 443 563
    2017/11/04 09:47:11| Processing: acl purge method PURGE
    2017/11/04 09:47:11| Processing: acl connect method CONNECT
    2017/11/04 09:47:11| Processing: acl HTTP proto HTTP
    2017/11/04 09:47:11| Processing: acl HTTPS proto HTTPS
    2017/11/04 09:47:11| Processing: acl step1 at_step SslBump1
    2017/11/04 09:47:11| Processing: acl step2 at_step SslBump2
    2017/11/04 09:47:11| Processing: acl step3 at_step SslBump3
    2017/11/04 09:47:11| Processing: acl allowed_subnets src 10.0.0.0/8 192.168.68.0/24 192.168.65.0/24 172.27.58.0/24
    2017/11/04 09:47:11| Processing: acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    2017/11/04 09:47:11| Processing: http_access allow manager localhost
    2017/11/04 09:47:11| Processing: http_access deny manager
    2017/11/04 09:47:11| Processing: http_access allow purge localhost
    2017/11/04 09:47:11| Processing: http_access deny purge
    2017/11/04 09:47:11| Processing: http_access deny !safeports
    2017/11/04 09:47:11| Processing: http_access deny CONNECT !sslports
    2017/11/04 09:47:11| Processing: http_access allow localhost
    2017/11/04 09:47:11| Processing: request_body_max_size 0 KB
    2017/11/04 09:47:11| Processing: delay_pools 1
    2017/11/04 09:47:11| Processing: delay_class 1 2
    2017/11/04 09:47:11| Processing: delay_parameters 1 -1/-1 -1/-1
    2017/11/04 09:47:11| Processing: delay_initial_bucket_level 100
    2017/11/04 09:47:11| Processing: delay_access 1 deny unrestricted_hosts
    2017/11/04 09:47:11| Processing: delay_access 1 allow allsrc
    2017/11/04 09:47:11| Processing: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    2017/11/04 09:47:11| Processing: url_rewrite_bypass off
    2017/11/04 09:47:11| Processing: url_rewrite_children 256 startup=8 idle=4 concurrency=0
    2017/11/04 09:47:11| Processing: http_access allow unrestricted_hosts
    2017/11/04 09:47:11| Processing: ssl_bump peek step1
    2017/11/04 09:47:11| Processing: ssl_bump splice all
    2017/11/04 09:47:11| Processing: http_access allow allowed_subnets
    2017/11/04 09:47:11| Processing: http_access allow localnet
    2017/11/04 09:47:11| Processing: http_access deny allsrc
    2017/11/04 09:47:11| Initializing https proxy context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem
    2017/11/04 09:47:11| Initializing http_port 127.0.0.1:8080 SSL context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem
    2017/11/04 09:47:11| Initializing https_port 127.0.0.1:3129 SSL context
    2017/11/04 09:47:11| Using certificate in /usr/local/etc/squid/serverkey.pem

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy