Lentidão no SQUID

Mauriciosgollo
(usa Outra)

Enviado em 31/10/2017 - 09:29h

Bom dia, acho que cheguei no meu limite gostaria da ajuda de vcs, tenho um servidor rodando squid com iptables a 5 anos sem problemas, mas na semana passada por problemas de hardware tivemos que reinstalar tudo, até ai sem problemas, aproveitamos e atualizamos as versões do squid para a 3.5.26, ai começou a peregrinação.
Vou explicar o cenário:
Uso squid com autenticação NTLM, sempre usei.
Depois de reinstalado os navegadores ficam com a mensagem "esperando pelo tunel de proxy" muitas vezes até dar timeout.
Percebi que isso acontece nos sites https.
Ja desativei a autenticação NTLM, criei acls por IP para todo passar direto e nada, ja deixei a conf do squid a mais limpa possivel e nada.

Se alguém puder dar uma luz, agradeço.
Abaixo meu squid .conf

#	WELCOME TO SQUID 3.5.26 STABLE5

#	----------------------------



# NETWORK OPTIONS

# -----------------------------------------------------------------------------



http_port 3128



# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM

# -----------------------------------------------------------------------------





acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

acl apache rep_header Server ^Apache

# broken_vary_encoding allow apache





# OPTIONS WHICH AFFECT THE CACHE SIZE

# -----------------------------------------------------------------------------



cache_mem 4096 MB

cache_swap_low 90

cache_swap_high 95

maximum_object_size 900 MB

minimum_object_size 0 KB

maximum_object_size_in_memory 8 MB



# LOGFILE PATHNAMES AND CACHE DIRECTORIES

# -----------------------------------------------------------------------------



cache_dir ufs /Storage/cache 20000 16 256 

access_log /Storage/logs/access.log

cache_log /Storage/logs/cache.log

cache_store_log /Storage/logs/store.log

pid_filename /Storage/logs/squid.pid

client_netmask 255.255.255.0

#dns_nameservers 8.8.8.8







# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS

# -----------------------------------------------------------------------------



ftp_user Squid@XXXXX

ftp_passive on

ftp_sanitycheck on

check_hostnames on

hosts_file /etc/hosts

diskd_program /usr/libexec/diskd-daemon







#	This is used to define parameters for the various authentication





#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=FUSAO

#auth_param ntlm children 20

#auth_param ntlm keep_alive off

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --domain=FUSAO

#auth_param basic children 5

#auth_param basic realm Squid proxy-caching web server

#auth_param basic credentialsttl 2 hours

#auth_param basic casesensitive off













# OPTIONS FOR TUNING THE CACHE

# -----------------------------------------------------------------------------



refresh_pattern ^ftp:		1440	20%	10080

refresh_pattern ^gopher:	1440	0%	1440

refresh_pattern .		0	20%	4320







# ACCESS CONTROLS

# -----------------------------------------------------------------------------

#acl manager proto cache_object

#acl localhost src 127.0.0.1/32

acl SSL_ports port 443 563 5222 1863

acl Safe_ports port 81		# http

acl Safe_ports port 80		# http

acl Safe_ports port 21		# ftp

acl Safe_ports port 443		# https

acl Safe_ports port 70		# gopher

acl Safe_ports port 210		# wais

acl Safe_ports port 1025-65535	# unregistered ports

acl Safe_ports port 280		# http-mgmt

acl Safe_ports port 488		# gss-http

acl Safe_ports port 591		# filemaker

acl Safe_ports port 300		# senebavi

acl Safe_ports port 777		# multiling http

acl Safe_ports port 809		# multiling http

acl CONNECT method CONNECT





#http_access allow localhost manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports









# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS



acl dominios_liberados dstdomain "/etc/squid/dominios_liberados"

always_direct allow dominios_liberados



acl LISTABRANCA url_regex -i "/etc/squid/listabranca"



acl LISTANEGRA url_regex -i "/etc/squid/listanegra"



acl SERVIDOR src 192.168.100.0/24













#external_acl_type NT_global_group %LOGIN /usr/libexec/ext_wbinfo_group_acl

#acl auth_users proxy_auth REQUIRED



#acl FUSAO external NT_global_group senha ADM Atendimento Diretoria expedicao Comercial marcenariagr RHgr Serralheria 3d





acl DMZ src "/etc/squid/DMZ"









# ACL LIBERACAO 



#http_access allow dominios_liberados

http_access allow LISTABRANCA CONNECT LISTABRANCA

http_access deny LISTANEGRA !DMZ

http_access allow SERVIDOR

http_access allow DMZ

#http_access allow FUSAO

#http_access deny auth_users

http_access deny all





http_reply_access allow all

icp_access allow all 





# ADMINISTRATIVE PARAMETERS

# -----------------------------------------------------------------------------



cache_effective_user nobody

#cache_effective_group nogroup



visible_hostname Proxy





# MISCELLANEOUS

# -----------------------------------------------------------------------------



error_directory /usr/share/squid/errors/pt-br

coredump_dir /Storage/cache

cache deny dominios_liberados LISTABRANCA