LINUX.ORG.RU
ФорумAdmin

Почему HTTPS прокси Squid'a такое медленное?

 , ,


0

2

Почему HTTPS прокси Squid'a такое медленное? Вот его конфиг

# /etc/squid/squid.conf
http_port 10.42.0.1:3128
http_port 10.42.0.1:3130 intercept
#https_port 10.42.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 10.42.0.1:3129 intercept ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=8MB \
   key=/etc/squid/ssl/myca.pem \
   cert=/etc/squid/ssl/myca.pem

acl Authenticated_IPs src 10.42.0.0/24 
http_access deny !Authenticated_IPs
# ssl
# ssl_bump allow all
sslproxy_cert_error allow all
# sslproxy_flags DONT_VERIFY_PEER
sslproxy_flags DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# sslproxy_cert_error deny all
# always_direct allow all

# include /etc/squid/dynamic.conf
include /home/whtspce/bin/dynamic.conf

#Disable traffic through this server (allows only through parent proxy)
never_direct allow all

# Don't cache 404 long time
negative_ttl 5 minutes
positive_dns_ttl 15 hours
negative_dns_ttl 1 second

# Specify local DNS cache
dns_nameservers 8.8.8.8

dns_v4_first on
ipcache_size 4096

cache_mem 512 Mb

#memory_pools off

maximum_object_size_in_memory 1 MB

# Shutdown delay before terminate connections
shutdown_lifetime 15 second

maximum_object_size 8 Gb

cache_dir aufs /tmp/cache 250000 16 256

acl SSL_ports port 443
acl SSL_ports port 8443        # Telecom exclusion
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http

# Common methods
acl CONNECT method CONNECT
acl PURGE method PURGE
acl GET method GET

# Deny requests to unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

tcp_outgoing_address 0.0.0.0 all

# /etc/squid/dynamic.conf
acl 10.42.0.140 src 10.42.0.140
cache_peer xxx.xxx.xxx.xxx parent 4594 0 no-query proxy-only name=proxy1
cache_peer_access proxy1 allow 10.42.0.140
cache_peer_access proxy1 deny all

acl 10.42.0.133 src 10.42.0.133
cache_peer xxx.xxx.xxx.xxx parent 4138 0 no-query proxy-only name=proxy2
cache_peer_access proxy2 allow 10.42.0.133
cache_peer_access proxy2 deny all

Может в самом squid'e чего не хватает?
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--with-open-ssl=/usr/lib/ssl/openssl.cnf' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

Правила iptables вот

iptables -A PREROUTING -i wlxbc968010f908 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3130
iptables -A PREROUTING -i wlxbc968010f908 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

C http соединением все в порядке, работает быстро, а вот https нет. В чем дело?


Ответ на: комментарий от Ixet

Способ ограничивать скорость клиента/групп клиентов. В squid'е в https оно безбожно тормозит, и по крайней мере назад в последних версиях это еще не было решено. Вместо этого они давали советы регулировать скорость на уровне ядра (tc)

anonymous ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.