Re: [squid-users] Squid transparent mode slow down clients

> Hi folks,
> I have a little bandwidth problem. My customer's network is simple like
> this: internet ---> squid 2.6 StabLe 5 (trasparent mode) ----> lan
> 172.16.0.0/16

Please upgrade to stable 17. There are a lot of speed improvements and
some big security holes fixed.

>
> Now, the problem is that when I redirect the 80 port to 8080 (squid) all
> the clients' connection slow down (from 250 Kbyte/s to 20/30 kbyte/s),
> and when I disable the iptables rule all returns fast.
>
> How can I solve this?
>
> Squid.conf
>
> http_port 8080 transparent
> icp_port 0
> htcp_port 0
> cache_access_log /var/log/squid/access.log

UPDATE TO: access.log /var/log/squid/access.log

> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log

TRY: cache_store_log none

> emulate_httpd_log on
> mime_table /etc/squid/mime.conf
> pid_filename /var/run/squid.pid
> dns_nameservers 213.140.2.12 208.67.222.222 193.205.245.66

These are better set at the OS level. Squid can retrieve them from there
if configured properly. If you are jailing squid, don't worry.

> acl all src 0.0.0.0/0.0.0.0
> http_access allow all

Ouch!

USE:
acl localnet src 172.16.0.0/16
http_access allow localnet
http_access deny all

>
> iptables rules
>
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s 172.16.0.0/16 -j
> REDIRECT --to-port 8080
> $IPTABLES -t nat -A POSTROUTING -s 172.16.0.0/16 -j SNAT --to-source
> 192.168.1.2

That might be a large part of the problem...
The REDIRECT for transparent is okay. I'm not sure why you mention SNAT,
it is not needed.

What is needed (I have this working perfectly here) is:
# bypass the proxy outbound on 80...
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s $PROXY_IP -j RETURN
# push everything else through squid...
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s 172.16.0.0/16 -j
REDIRECT --to-port 8080

With the usual MASQUERADE in POSTROUTING.

Amos
Received on Tue Dec 11 2007 - 18:38:52 MST