[squid-users] Slow performance when using transparent proxy

From: Brian Schonecker <[email protected]>
Date: Fri, 09 Dec 2005 12:32:00 -0500

We had a power outtage a couple of days ago and ever since my transparent proxying is working very slowly.

When I enter the proxy manually in my browser, I get nice and fast speed. When I remove the proxy info and go directly through my firewall without the proxy forced I get good speed. However, when I insert the following iptables line into my firewall (which is ALSO my proxy) stuff slows down considerably.

Misc information: I am running my own DNS server and DNS queries on the server are nice and quick. The DNS, Firewall and Squid are the same server.
I've got the squid OK'd in my /etc/sysconfig/SuSEfirewall2 script with the PREROUTING information in /etc/sysconfig/SuSEfirewall2-custom. I've got an iPrism web traffic filter inbetween me and the squid proxy. I've turned that OFF and I get the same behavior.

Again, all this worked BEFORE a power outtage and the server came back up. As soon as I remove the PREROUTING line from my firewall everything is nice and fast.

Also, should my firewall be DROPping packects on my internal interface? SuSEfirewall2 put that stuff in automatically.

I've reproduced this on a separate server with the same squid.conf and iptables setup and I have the same slowness.

Here's my IPTABLES stuff:

# iptables-save | grep 8080
-A input_int -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_int -p udp -m udp --dport 8080 -m state --state NEW -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

# /usr/sbin/squid -v
Squid Cache: Version 2.5.STABLE5
configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl' '--enable-snmp' '--enable-carp' '--enable-useragent-log' '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB no_check' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' '--enable-ntlm-fail-open' '--enable-referer-log' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-ssl' '--enable-cache-digests' '--enable-poll' '--enable-storeio=aufs,ufs,diskd,null' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--with-samba-sources=/usr/include/samba' '--enable-x-accelerator-vary'

# uname -a
Linux opportunity 2.6.5-7.201-smp #1 SMP Thu Aug 25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux
opportunity:~ #

opportunity:~ # iptables -v
iptables v1.2.9:

cat /etc/resolv.conf

nameserver 127.0.0.1
search xtek.com

Here's my squid.conf:

http_port 192.168.202.254:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
maximum_object_size 60240 KB
cache_dir ufs /usr/local/squid 1000 16 256
mime_table /usr/share/squid/mime.conf
log_fqdn on
acl all src 0.0.0.0/0.0.0.0
acl xtek src 192.168.202.0/24
acl upstairs src 192.168.206.0/24
acl wireless src 192.168.207.0/255.255.255.0
acl unknown src 192.168.209.0/255.255.255.0
acl shop src 192.168.203.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl BLOCK url_regex "/usr/local/squid/block.acl"
acl mimeblock1 rep_mime_type ^application/smil$
acl mimeblock1 rep_mime_type ^application/vnd.ms.wms-hdr.asfv1$
acl mimeblock1 rep_mime_type ^audio/x-pn-realaudio$
http_access deny BLOCK
http_reply_access deny mimeblock1
http_access allow xtek
http_access allow wireless
http_access allow unknown
http_access allow shop
http_access allow upstairs
http_access allow localhost
http_access deny all
icp_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Thanks, Brian
Received on Fri Dec 09 2005 - 10:32:19 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST