Transparent HTTPS proxy

v7-rc3

(Filippo Carletti) #21

I can’t reproduce the problem.
Relevant lines in my messages log file:

Nov 30 10:25:04 ns7rc2 esmith::event[17059]: ufdb.service is not a native service, redirecting to /sbin/chkconfig.
Nov 30 10:25:04 ns7rc2 esmith::event[17059]: Executing /sbin/chkconfig ufdb on

(kai) #22

at my side in message log file is written:
sbs esmith::event[21204]: [INFO] ufdb is disabled: skipped
sbs esmith::event[21204]: [INFO]

and

esmith::event[21252]: ufdb.service is not a native service, redirecting to /sbin/chkconfig.
Dec 1 09:50:27 sbs esmith::event[21252]: Executing /sbin/chkconfig ufdb off


(Filippo Carletti) #23

Could you please try to disable and then enable again the web filter? Then look for similar lines in the logs.


(kai) #24

thats works, now i have also an activated in the services :slight_smile:


(Filippo Carletti) #25

Thanks. So, it seems that ufdb was not activated on install.
I could ship the package with a default status of enabled, as a workaround.
Any experienced @dev_team opinion on this?


(kai) #26

guess this is a good idea, cause everyone who has a formerly configuration would have this kind of problem.


(Filippo Carletti) #27

Ok, I think I understand now: you’ve updated an existing system where the old filter was enabled. Right?


(kai) #28

exactly


(Ralf Jeckel) #29

I found block entries in log, but does this mean they are blocked?

I found 172.217.20.238 and 216.58.214.195 which are google, 5.9.151.58 which is moodle, 52.222.150.185 which is cloudfront.
I’ve only 2 domains in blacklist for testing porpose.
I’ve disabled all filter, only this is enabled:

So only access through IP and those two blacklisted domains should be blocked. On the other hand everything seemed to work correctly. I had no blocked site, but I don’t know what was blocked at moodle or so.

ASAP I’ll do some more tests.


(Giacomo Sanchietti) #30

You should create a migration fragment:
if squidguard is enabled and the install is an update from the old system, you must enable the udfbguard service.


(Vhinz Sanchez) #31

@filippo_carletti, you are one heck of greatness (along with other devs)! Testing to be done next week though.


(kai) #32

I test it since yesterday and it is incredible cause now my network is controlled. i see every connection try and the established ones, see that only ip´s are blocked see what systems and devices do at ssl connections. i am flashed, thanks so much !!! Everything works well at my side, maybe a bit laggy then and when but not very strong. will going further with tests.


(kai) #33

After a few days now i saw that the configuration with the new squid needs a lot of RAM. And the whole system is laggy then and when. In my previous configuration i deactivated the Squid Disk Cache cause i had enough RAM. Now i activated the RAM and now it is much better from what RAM is needed. Just an Information for them who maybe has RAM Problems. Second is that i am not able to use Telegram (Messenger) with that configuration. I dont get a connect.


(kai) #34

so, another few days are gone and i recognize that after i go further with the transparent https proxy that the ram is totally used from the system now. it is a bit laggy. Can someone confirm this? My System has 8 GB Ram, a CPU Modell 4 x Intel® Core™ i5-3570T CPU @ 2.30GHz, After a Reboot it is pretty normal, but after one day it is using everything on normal RAM 98% and also uses a lot of Swap Space.


(Vhinz Sanchez) #35

Awww…its hurting. My pfSense box is a repurposed PII desktop with just 2 GB RAM and my test box is i3 with 4GB…seems that I can not still use it. Will be testing though.


(Ralf Jeckel) #36

Hello Kai,
I think this behaviour is pretty normal. My system has 24GB, 4 GB are used by the system it self, 4 to 8 GB are used by VMs, depending on how many are running and the rest up to ~ 98% is used for buffering, mainly by squid. Someone stated that squid is a “ram-hungry deamon”. I agree with that. The ram-usage of linux is a miracle only known by Torwald himself some say. But unused ram is useless ram, so it’s good, that squid uses free ram for buffering.
If you wish to influence the behaviour of swap, you can use the systemvalue swappiness.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
I played a bit with it, but didn’t notice bigg differences.


(kai) #37

Hello Ralf,
at my Side it is a Stand alone System, not VMs. But i agree, unused Ram is useless. But the Circumstances from before using the new transparent SSL Proxy and the old one without are a bit wired for me. Before the whole system also with Squid take around 70 % of the normal RAM. After i switch to the new Konfiguration it look like this
Maybe there is a way to change that, cause the whole system is laggy after a day.


(Filippo Carletti) #38

@hucky, in my test systems I didn’t notice a big increase in ram usage.
squid can use a lot of memory, see the faq:
http://wiki.squid-cache.org/SquidFaq/SquidMemory
We need to discover if memory usage grows indefinitely.
I suggest you enable cachemgr.cgi:

  1. modify /etc/httpd/conf.d/squid.conf adding
    Require ip 192.168.x.y
    (insert the ip address of your workstation)
  2. systemctl reload httpd
  3. point your browser to http://yo.ur.ser.ver/Squid/cgi-bin/cachemgr.cgi

(Ralf Jeckel) #39

I tried to reproduce the high memory consumption of squid.
After using a pretty basic NS7-nsdc now for a view hours, this is the memory usage:

Swap-usage is still 0.

To simulate a squid-load I opened some chrome-windows with in sum ca. 170 Tabs. Closed them after some minutes and reopend them again. This is where the memory consumption is encreasing. But not dramatically.

This is from cache-manager (don’t know if this helps):

As far as I can say it behaves normal until now.
I’ll keep using this machine for a while and report if it becomes laggy.


(Giacomo Sanchietti) #40

Packages are officially in testing repository!