Slow web proxy operation

done. the only error I get in the cache.log is

2017/10/24 08:49:14 kid1| optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!opt]

This is the web anitvirus service, another option that could slow down web browsing. I’d disable it, to rule out most of the variables.

Every time I reenable the filter

2017-10-24 08:52:56 [4090] ERROR: cannot connect to UNIX socket /tmp/ufdbguardd-03977
2017-10-24 08:52:56 [4090] ufdbgclient 1.33.4 started
2017-10-24 08:52:56 [4090] cannot connect to ufdbguardd daemon - is it running? If yes, check the -p option.

But the filter works, It blocks sites like its supposed to, just spams this error about 100 times a day

Let’s check the ufdb service with systemctl status ufdb. Here’s my firewall:

[root@nsec-primary ~]# systemctl status ufdb
● ufdb.service - LSB: ufdbguardd daemons from URLfilterDB
   Loaded: loaded (/etc/rc.d/init.d/ufdb; bad; vendor preset: disabled)
   Active: active (running) since Tue 2017-10-17 14:29:20 CEST; 1 weeks 0 days ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/ufdb.service
           └─6519 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf

Oct 17 14:29:19 nsec-primary.nethesis.it systemd[1]: Starting LSB: ufdbguardd daemons from URLfilterDB...
Oct 17 14:29:20 nsec-primary.nethesis.it ufdb[6515]: Starting URLfilterDB daemons OK
Oct 17 14:29:20 nsec-primary.nethesis.it systemd[1]: Started LSB: ufdbguardd daemons from URLfilterDB.

Could you please try to restart it and check status again?

Weird, so I start it, service starts fine, no log is created under /var/log/squid. I stopped and started it a couple times no issues

[root@gateway ~]# systemctl status ufdb -l
● ufdb.service - LSB: ufdbguardd daemons from URLfilterDB
Loaded: loaded (/etc/rc.d/init.d/ufdb; bad; vendor preset: disabled)
Active: active (running) since Tue 2017-10-24 09:31:22 EDT; 59s ago
Docs: man:systemd-sysv-generator(8)
Process: 8217 ExecStart=/etc/rc.d/init.d/ufdb start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ufdb.service
├─1017 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf
└─8221 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf

Edit: Neth ui still shows filter off but I assume manually starting a service doesn’t trigger that.

How to solve the SSL proxy problem?

Still working on it. Its actually working very well for me after the 1708 stable nethserver update for what its worth besides the filter errors in the log. Have you updated yet to stable 1708?

@Jclendineng

Do you have problems with the operation of the proxy in transparent mode with SSL

I am trying to reproduce your error since days but no success until now. Trying it next to testing other things but transparent SSL proxy still just works.

Please give me some information:

Which browsers do you use on which OS?
Does Nethserver all server tasks in your network or do you have a router or another server doing dns, dhcp or firewalling etc.?
What proxy config do you have? Do you block HTTP/HTTPS ports?
Do you use content filter or dpi?
Sorry but to reproduce it I need the scenario…

Summary of what I know, please correct me if somethings wrong:

  • minimum of 20 seconds delay when browsing via proxy
  • no antivirus and no cache used
  • it seems to be the transparent SSL mode, as it works without SSL
  • 7.4 release does not solve it
  • IPv4 patch not working

Did you try this, as it will show us where the error is located:

1 Like

Yes I am using transparent with ssl, caching enabled but I drastically increased max file size and cache size because of some failing downloads, which I am not sure are a proxy issue but it did not hurt anything. Can I ask what sites are giving you issues? You haven’t posted any of the logs either, please post, they may help. Locations are in a previous post :smile:

1 Like

браузеры Google chrome, opera, firefox
Windows 10
Windows 2016 DHCP, DNS
Nethserver proxy
порты не блокируются.
Контент фильтр и dpi не используется.
На компьютере где включен обход прокси проблем с доступом нет.
Если отключить прокси проблем нет на всех компьютерах.
Если включить прозрачный режим без SSL проблем нет на всех компьютерах.
Если включить прозрачный режим с SSL задержка примерно 20 секунд, на компьютерах которые включены в обход прокси проблем нет.

Можно ли в NS сделать сброс всех настроек поумолчанию (как чистая установка)? Или попробовать сделать новую установку?

@Valeriy Can you translate it to english please? Tried it with google translation, but this not works very well.

Haha language challenge!
I translated the post of @Valeriy to English with Google:

1 Like

Yes, with backup/restore procedure AFAIK. You may make a full backup and then setup a new Nethserver and start with disaster recovery:

http://docs.nethserver.org/en/v7/backup.html
http://docs.nethserver.org/en/v7/backup.html#disaster-recovery

1 Like

I would test proxy before recovery, if there are config problems you get them back with recovery.

1 Like

I meant reset to the original settings like in windows 10.

Sorry, that way it is not possible AFAIK.

I have one issue with the IPS module… I have solve with disabling “INFO” block.

I conducted the experiment. Installed the virtualbox and installed NethServer 7.4.1708 Final. The Web proxy with the SSL is working fine.

3 Likes

So I think there is an configuration error or perhaps a hardware error at your production server.
Could you do a snapshot at virtual box and after that try to recover your backup at virtual box image.

1 Like