Re: SQUID Proxy com performance Péssima

To: Adiel de Lima Ribeiro <adiel.netadmin@gmail.com>
Cc: Forum Debian <debian-user-portuguese@lists.debian.org>
Subject: Re: SQUID Proxy com performance Péssima
From: Moksha Tux <govatux@gmail.com>
Date: Fri, 10 Aug 2012 18:09:16 -0300
Message-id: <[🔎] CANApBefMiRtF8iJgJaNra+RZ0+JSTveBrCRmcjPdc0eqaMD_Cg@mail.gmail.com>
In-reply-to: <[🔎] 1344627617.2654.13.camel@nagual>
References: <[🔎] CANApBeca-GrGO4SeRB1S4Fg9Y1vcXPSkDrVBrUwOWOg38HMbOg@mail.gmail.com> <[🔎] 1344627617.2654.13.camel@nagual>

Segue abaixo em azul o meu squid.conf:

authenticate_ip_ttl 60 seconds

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl REDEINTHU src 10.0.0.0/8

acl InetAccess proxy_auth REQUIRED
acl InetDeny proxy_auth "/etc/squid3/regras/inetdeny.txt"
acl CoordCIR proxy_auth "/etc/squid3/regras/coord.txt"
acl Plantonistas proxy_auth "/etc/squid3/regras/plantonistas.txt"
acl Manutencao proxy_auth "/etc/squid3/regras/manutencao.txt"
acl Desenv proxy_auth "/etc/squid3/regras/desenv.txt"
acl users_excecao proxy_auth "/etc/squid3/regras/users_exc.txt"
acl exc_sites proxy_auth "/etc/squid3/regras/exc_sites.txt"

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl Safe_ports port 20          # ftp
acl Safe_ports port 21          # ftp
acl Safe_ports port 80          # http
acl Safe_ports port 82          # IBICT
acl Safe_ports port 443         # https, snews
acl Safe_ports port 465         # smtp, Gmail
acl Safe_ports port 995         # pop, Gmail
acl Safe_ports port 1080
#acl Safe_ports port 1863        # msn
acl Safe_ports port 2631        # Caixa Economica Federal
acl Safe_ports port 3001        # Carga Viral - algoritmo.aids.gov.br
acl Safe_ports port 3690
acl Safe_ports port 4500
acl Safe_ports port 4505
acl Safe_ports port 5000
acl Safe_ports port 5060
acl Safe_ports port 5432
acl Safe_ports port 6505
acl Safe_ports port 6605
acl Safe_ports port 5000
acl Safe_ports port 5060
acl Safe_ports port 5432
acl Safe_ports port 6505
acl Safe_ports port 6605
acl Safe_ports port 6991
acl Safe_ports port 7777-7778
acl Safe_ports port 8008
acl Safe_ports port 8080
acl Safe_ports port 9090-9099
acl Safe_ports port 8080
acl Safe_ports port 8081
acl Safe_ports port 8083
acl Safe_ports port 8991
acl Safe_ports port 23000
acl Safe_ports port 30000-30999
acl Safe_ports port 50000-50999
acl Safe_ports port 5222
acl Safe_ports port 32570
acl Safe_ports port 32566
acl SSL_ports port 443
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

acl pt20 port 20
acl pt21 port 21
acl pt82 port 82
acl pt465 port 465
acl pt995 port 995
acl pt1863 port 1863
acl pt2631 port 2631
acl pt4500 port 4500
acl pt4505 port 4505
acl pt5000 port 5000
acl pt5060 port 5060
acl pt5432 port 5432
acl pt6505 port 6505
acl pt6605 port 6605
acl pt6991 port 6991
acl pt8008 port 8008
acl pt8080 port 8080
acl pt8083 port 8083
acl pt8991 port 8991
acl pt8999 port 8999
acl pt9090 port 9090-9099
acl pt23000 port 23000
acl pt30000 port 30000-30999
acl pt50000 port 50000-50999
acl pt5222 port 5222
acl pt32570 port 32570
acl pt32566 port 32566

acl limit_user max_user_ip -s 1

acl numeric_ips urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl skype_browser browser Skype
acl updates_sites url_regex -i "/etc/squid3/regras/updates_sites.txt"
acl noauth_sites url_regex -i "/etc/squid3/regras/noauth_sites.txt"
acl ok_sites url_regex -i "/etc/squid3/regras/ok_sites.txt"
acl biblioteca url_regex -i "/etc/squid3/regras/biblioteca.txt"
acl institucionais_sites url_regex -i "/etc/squid3/regras/institucionais_sites.txt"
acl bad_domains dstdom_regex -i "/etc/squid3/regras/bad_domains.txt"
acl banned_sites url_regex -i "/etc/squid3/regras/banned_sites.txt"
acl proxy_list url_regex -i "/etc/squid3/regras/proxy_list.txt"
acl porn_sites url_regex -i "/etc/squid3/regras/porn_sites.txt"
acl noporn_sites url_regex -i "/etc/squid3/regras/noporn_sites.txt"
acl block_downloads url_regex -i "/etc/squid3/regras/block_downloads.txt"
acl noblock_downloads url_regex -i "/etc/squid3/regras/noblock_downloads.txt"
acl noblock_downloads url_regex -i "/etc/squid3/regras/noblock_downloads.txt"
acl block_streaming req_mime_type -i "/etc/squid3/regras/block_streaming.txt"
acl banned_sites url_regex -i "/etc/squid3/regras/banned_sites.txt"

acl seminternet src 10.0.3.0/24 10.1.3.0/24 10.2.3.0/24 10.3.3.0/24
acl seminternet src 10.2.13.0/24 10.2.23.0/24
acl seminternet src 10.10.13.0/24
acl seminternet src 10.11.3.0/24 10.11.13.0/24 10.11.23.0/24
acl seminternet src 10.15.13.0/24
acl seminternet src 10.16.13.0/24
acl seminternet src 10.20.13.0/24 10.20.23.0/24
acl seminternet src 10.21.13.0/24 10.21.23.0/24
acl seminternet src 10.30.33.0/24 10.30.43.0/24
acl seminternet src 10.40.33.0/24 10.40.43.0/24 10.40.53.0/24
acl seminternet src 10.41.43.0/24
acl seminternet src 10.42.43.0/24
acl seminternet src 10.42.33.0/24
acl seminternet src 10.50.53.0/24
acl seminternet src 10.51.53.0/24
acl seminternet src 10.60.63.0/24
acl seminternet src 10.70.73.0/24
acl seminternet src 10.80.83.0/24

acl seminternet src 10.81.83.0/24 10.81.93.0/24

acl seminternet src 10.100.93.0/24 10.100.103.0/24
acl seminternet src 10.101.93.0/24 10.101.103.0/24
acl seminternet src 10.111.123.0/24
acl seminternet src 10.112.133.0/24

acl seminternet src 10.201.3.0/24
acl seminternet src 10.205.13.0/24
acl seminternet src 10.206.13.0/24

acl rede_cnpq0 dst 200.252.232.0/24

acl srv_siscel_0 dst 200.252.24.5
acl srv_siscel_1 dst 200.252.24.130
acl srv_aleph dst 200.145.5.15
acl srv_aleph dst 143.107.253.125
acl srv_aleph dst 143.54.1.5
acl srv_fenix dst 200.250.1.4
acl srv_nefro dst 200.222.47.215
acl srv_pato dst 201.63.1.10
acl srv_pato1 dst 189.56.21.66
acl srv_pato2 dst 200.188.208.235
acl srv_etha dst 200.100.101.5
acl srv_serpro dst 161.148.40.200
acl srv_cdc dst 198.246.96.5
acl srv_website_firjan dst 200.198.185.252
acl srv_website_ibict dst 200.130.0.7
acl srv_website_inep_sinaes dst 200.130.24.28
acl srv_website_assim dst 200.244.92.132
acl srv_website_archeslib dst 200.163.18.182
acl srv_ftp_oup dst 12.107.205.35
acl srv_ftp_egertongroup dst 216.179.118.162
acl srv_clinmaldb dst 143.107.45.149
acl srv_ftp_datasus dst 200.214.44.164
acl host2234 src 10.111.121.51
acl recepcao src 10.111.138.0/24 10.111.139.0/24
acl coordenacao src 10.201.1.0/24 10.200.1.0/24 10.204.1.0/24 10.42.41.53/32 10.42.31.86/32 10.51.51.67/32

http_access allow localhost
http_access deny proxy_list
http_access allow institucionais_sites
http_access allow Coord
http_access allow updates_sites

http_access allow users_excecao
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny inetdeny

http_access allow Plantonistas
http_access allow noauth_sites
http_access deny banned_sites !ok_sites

http_access deny seminternet

http_access deny skype_browser
http_access allow coordenacao skype_browser

http_access deny block_streaming
http_reply_access deny block_streaming

http_access allow exc_sites
http_access deny bad_domains
http_access allow Manutencao
http_access deny porn_sites
http_access deny limit_user !biblioteca
http_access allow ManutencaoCIR block_downloads
http_access allow Desenv block_downloads
http_access deny block_downloads !noblock_downloads
http_access allow InetAccess
http_access deny all

http_reply_access allow all

icp_access allow REDEINT
icp_access deny all

htcp_access deny all

http_port 10.200.100.200:3128

hierarchy_stoplist cgi-bin ?

cache_mem 1 GB

#memory_replacement_policy heap LRU
memory_replacement_policy heap GDSF

# cache_replacement_policy lru
cache_replacement_policy heap LRU

cache_dir aufs /cache 4096 16 256

maximum_object_size 300 MB

access_log /log_squid/access.log common

cache_store_log none

logfile_rotate 30

emulate_httpd_log on

coredump_dir /var/spool/squid3

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname proxyserver

icp_port 3130

# check_hostnames off
check_hostnames on

dns_nameservers 10.200.150.128

append_domain .meu_dominio

auth_param basic program /usr/lib/squid3/smb_auth -W MEU_DOMINIO -U 10.200.100.128

auth_param basic children 10
auth_param basic realm Nome_da_empresa
auth_param basic credentialsttl 30 minutes
auth_param basic casesensitive on

Muito obrigado pelo retorno

Moksha

Em 10 de agosto de 2012 16:40, Adiel de Lima Ribeiro <adiel.netadmin@gmail.com> escreveu:

Boa tarde, tem como enviar-nos seu squid.conf ?

On Fri, 2012-08-10 at 16:30 -0300, Moksha Tux wrote:

Boa tarde pessoal!

Estou há muitos meses as voltas com o proxy daqui do meu trabalho, já faz
um bom tempo que a CPU do servidor trabalha quase o expediente inteiro de
trabalho oscilando entre 70 a 100%, a rede daqui do trabalho é segimentada
por VLANs e temos por volta de 2500 usuários e mais de 2200 hosts e a
configurção do hardware é robusta  (Servidor IBM X3650 CPU Intel Xeon de 8
núcleos e 4 GB de RAM e armazenamento de 1.3 TB sendo 6 discos SAS 15 krpm
em RAID 5), já fiz muitos testes a saber... regra de firewall barrando uma
VLAN por vez para analisar o desempenho e fluxo de conexão, levantei o
proxy em outro hardware, fiz partições separadas do cache, log e em
reiserfs e nada disso está adiantando, alguém poderia me ajudar? Será que
seria a versão deste squid do Debian squeeze apresentando bug? A minha rede
é Gigabit o que também não justificaria tal desempenho. O que mais devo
fazer? Obrigado a todos pela atenção! Abraços,

Moksha

-- 
Adiel de Lima Ribeiro
facebook.com/sembr.dyndns.info

Reply to:

References:
- SQUID Proxy com performance Péssima
  - From: Moksha Tux <govatux@gmail.com>
- Re: SQUID Proxy com performance Péssima
  - From: Adiel de Lima Ribeiro <adiel.netadmin@gmail.com>

Prev by Date: Re: SQUID Proxy com performance Péssima
Next by Date: Re: SQUID Proxy com performance Péssima
Previous by thread: Re: SQUID Proxy com performance Péssima
Next by thread: Res: SQUID Proxy com performance Péssima
Index(es):
- Date
- Thread