Https sites getting very slow


(Veeramani P) #1

NethServer Version: NethServer release 7.4.1708 (Final)
Module: your_module

hi,
I have been using past one month NS firewall with proxy, we enable the web content filter and block some websites, we open http’s sets its getting long time to open in browser. I tried two different browsers to open, but the same problem.

Kindly provide the exact solution.


(Markus Neuberger) #2

Hi @veeramani,

do you use transparent, manual or authenticated proxy?
Which blacklist do you use?
Do you have an example https page that is slow?
Are there errors in the logfiles /var/log/messages or /var/log/squid/access.log ?


(Veeramani P) #3

Hi,

​​​​We are using authentication mode in proxy and proxy joined in domain controller, We create custom categories and block Facebook and YouTube f​or particular user​ group.

log files are too long to open


(Veeramani P) #4

Here i attache /var/log/messages


(Veeramani P) #6

secure site getting error


(Markus Neuberger) #7

Is your hardware strong enough? Maybe wrong credentials? Which clients (browsers) connect to your NethServer and how did you setup their proxy? You may try using IP or FQDN in the proxy settings on the clients.

https://wiki.squid-cache.org/KnowledgeBase/TooManyQueued

I can see you use suricata, it uses much RAM and may interfere, you may try disable it.

I saw much ssh connection tries, you may use fail2ban to block them.


(Veeramani P) #8

Hi,

The proxy server setting in the browser using FQDN only, we create a group in domain controller and add some users to that group, the proxy uses the system login credentials for that group user login.

Also we are not enabling suricata,

When I use IP address in the proxy settings, the browser (chrome) getting login prompt again and again after we enter login credentials.
I don’t know to solve this problem.


(Markus Neuberger) #9

Did you try with firefox (other proxy implementation) ? Does it work if you deactivate the web content filter? Does it work with manual proxy?

Ok, just use FQDN (sorry, no English windows available at the moment).

grafik


(Veeramani P) #10

In Firefox the proxy working normal, with manual proxy its working no problem, the only problem in authentication mode. Our Senior manager needs only authentication mode because of blocking some websites,

I disable antivirus in the proxy server, also use google domains in whitelist and domain without proxy, but I didn’t see any difference

whitelist


(Markus Neuberger) #11

Which domain controller do you use? I tried with NethServer as DC but could not reproduce it.


(Veeramani P) #12

We use Zentyal 4.2 Primary Domain Controller


(Veeramani P) #13

Hi,

Any suggestion regarding slow internet issue in proxy.
I need help to solve this issue.

Can any one help me?


(Markus Neuberger) #14

Sorry for the late answer.
Could you post the part of /var/log/squid/access.log when a slow https site appears?


(Veeramani P) #15

access.log getting too long to open.i already attach message.log for previous post.


(Markus Neuberger) #16

Are you trying to open it with notepad? You have a log viewer in web UI.

http://docs.nethserver.org/en/v7/base_system.html#log-viewer

Is Nethserver your DHCP server? Which DNS servers do your clients use?


(Veeramani P) #17

We try to open log viewer in web UI but its getting loading.

Yes, Nethserver as DHCP Server, enable DHCP in Green zone (local LAN) and we use one of our ISP provider DNS server and our domain controller as another DNS Server.


(Markus Neuberger) #18

It seems like you are not using proxy authentication mode. Usually you should see the usernames in the access log.
Another point is that you have one internal and one external DNS for your clients. This means that they may give back different results. Your internal DNS knows your domain, the external doesn’t. You may try to use just the internal DNS of your domain controller.


(Veeramani P) #19

There is a username in access.log, you can recheck again, once we enter our system the login credentials take it as proxy authentication. because we joined into domain controller.


(Markus Neuberger) #20

You are right, users are recognized. I’ll try to reproduce your scenario…give me some time…


(Veeramani P) #21

OK , Thanks for your immediate response. Its a major issue for our side. So kindly provide the solution.