HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
HAVP really slow while IPTables activated http://havp.hege.li/forum/viewtopic.php?f=3&t=389 |
Page 1 of 1 |
Author: | marc78 [ 16 Sep 2008 18:59 ] |
Post subject: | HAVP really slow while IPTables activated |
Hi, we set up several (5) boxes using Squid/SquidGuard/HAVP and on one of them netfilter. All hardwares are almost the same (2 Xeon minimun, 3GB RAM, SCSI 320 hard drives, Linux Slackware 12.0). On main servers, with about 1500 active users we don't have any issue. On the last box, with only 400 users, surfing is really slow... and unacceptable for users. I have checked all the config (squid, squidguard, havp), and the only difference is that this box is also runing IPTables to handle specific traffic. Without HAVP this box is running really fine, as all other systems, but as soon as HAVP is activated, the systems slow down after few minutes of activity. The result for end users is "connection lost" error page from HAVP. During problem, the loadaverage of the server is low (almost 0 !), memory usage is normal, no pagging,... I'm pretty sure the pb is linked to IPTables, but as the default rules for both outgoing and incomming chains are "ACCEPT", I suppose it's another parameters. (I tested with the stock kernel 2.6.21.5 and the latest one 2.6.26.5, same result). UPDATE : on this server, we made a test by switching off IPTables, and the surfing is back to normal. So the problem is between HAVP and IPTables. Any way to add some log to find where it blocks ? Does any one here already saw (and solved !) this kind of trouble ? Any help will be appreciated. regards, Marc. |
Author: | hydrapolic [ 22 Sep 2008 08:53 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
Strange indeed. Could you post your configs ? I'm running HAVP on 2.6.24 with iptables and getting decent speeds. |
Author: | hege [ 22 Sep 2008 10:29 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
You need to post your iptables, what is "specific traffic"? There are many ways to shoot your foot. |
Author: | marc78 [ 22 Sep 2008 17:11 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
Hi, for IPTables, I don't think the problem is because of rules, we made a simple test flushing all rules (IPTables -F), same result. I don't have access to the server until tomorrow, so I will post config files tomorrow morning. Marc. |
Author: | marc78 [ 30 Sep 2008 17:30 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
Hi, the current active conf for HAVP is (result of havp -s) : ACCESSLOG=/var/log/havp/access.log ARCAVIRSOCKET=/var/run/arcavird.socket AVASTPORT=5036 AVASTSERVER= AVASTSOCKET=/var/run/avast4/local.sock AVESOCKET=/var/run/aveserver AVGPORT=55555 AVGSERVER=127.0.0.1 BIND_ADDRESS=127.0.0.1 BLACKLIST=/etc/havp/blacklist CLAMBLOCKBROKEN=FALSE CLAMBLOCKENCRYPTED=FALSE CLAMBLOCKMAX=FALSE CLAMDBDIR= CLAMDPORT=3310 CLAMDSERVER= CLAMDSOCKET=/tmp/clamd CLAMMAXFILES=1000 CLAMMAXFILESIZE=50 CLAMMAXRATIO=250 CLAMMAXRECURSION=8 DAEMON=TRUE DBRELOAD=60 DISPLAYINITIALMESSAGES=TRUE ENABLEARCAVIR=FALSE ENABLEAVAST=FALSE ENABLEAVESERVER=FALSE ENABLEAVG=FALSE ENABLECLAMD=FALSE ENABLECLAMLIB=TRUE ENABLEFPROT=FALSE ENABLENOD32=FALSE ENABLESOPHIE=FALSE ENABLETROPHIE=FALSE ERRORLOG=/var/log/havp/error.log FAILSCANERROR=TRUE FORWARDED_IP=TRUE FPROTPORT=10200 FPROTSERVER=127.0.0.1 GROUP=squid IGNOREVIRUS= KEEPBACKBUFFER=200000 KEEPBACKTIME=5 LOGLEVEL=1 LOG_OKS=FALSE MAXDOWNLOADSIZE=0 MAXSCANSIZE=150000000 MAXSERVERS=400 NOD32SOCKET=/tmp/nod32d.sock NOD32VERSION=25 PARENTPORT=0 PARENTPROXY= PIDFILE=/var/run/havp/havp.pid PORT=8010 RANGE=FALSE SCANIMAGES=TRUE SCANNERTIMEOUT=10 SCANTEMPFILE=/var/tmp/havp/havp-XXXXXX SERVERNUMBER=120 SOPHIESOCKET=/var/run/sophie SOURCE_ADDRESS= STREAMSCANSIZE=20000 STREAMUSERAGENT= SYSLOGFACILITY=daemon SYSLOGLEVEL=info SYSLOGNAME=havp TEMPDIR=/tmp TEMPLATEPATH=/etc/havp/templates/es TRANSPARENT=FALSE TRICKLING=30 TROPHIEMAXFILES=1000 TROPHIEMAXFILESIZE=10 TROPHIEMAXRATIO=250 USER=squid USESYSLOG=FALSE WHITELIST=/etc/havp/whitelist WHITELISTFIRST=TRUE X_FORWARDED_FOR=FALSE IPTables config is mostly like (I removed many similar lines) : root@proxyserver:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 10.70.96.54 194.224.215.30 tcp dpts:7200:7210 state NEW,RELATED ACCEPT tcp -- 10.70.96.76 194.224.215.30 tcp dpts:7200:7210 state NEW,RELATED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 While HAVP is running, if I look for open handle for one HAVP process the list is : havp 10096 squid cwd DIR 104,1 4096 226241 /tmp havp 10096 squid rtd DIR 104,1 4096 2 / havp 10096 squid txt REG 104,7 324525 565694 /usr/sbin/havp havp 10096 squid mem REG 104,1 77439 161683 /lib/libresolv-2.5.so havp 10096 squid mem REG 104,1 21065 161676 /lib/libnss_dns-2.5.so havp 10096 squid mem REG 104,1 45552 161677 /lib/libnss_files-2.5.so havp 10096 squid mem REG 104,1 41045 161679 /lib/libnss_nis-2.5.so havp 10096 squid mem REG 104,7 145457 633717 /usr/lib/libclamunrar.so.3.0.3 havp 10096 squid mem REG 104,1 96480 161674 /lib/libnsl-2.5.so havp 10096 squid mem REG 104,7 24773 633723 /usr/lib/libclamunrar_iface.so.3.0.3 havp 10096 squid mem REG 104,1 110796 161682 /lib/libpthread-2.5.so havp 10096 squid mem REG 104,7 218928 630246 /usr/lib/libgmp.so.3.4.1 havp 10096 squid mem REG 104,1 66444 163173 /lib/libbz2.so.1.0.4 havp 10096 squid mem REG 104,7 77688 630269 /usr/lib/libz.so.1.2.3 havp 10096 squid mem REG 104,1 1528742 161668 /lib/libc-2.5.so havp 10096 squid mem REG 104,7 41224 630258 /usr/lib/libgcc_s.so.1 havp 10096 squid mem REG 104,1 184820 161672 /lib/libm-2.5.so havp 10096 squid mem REG 104,7 906580 630337 /usr/lib/libstdc++.so.6.0.8 havp 10096 squid mem REG 104,7 1323603 630608 /usr/lib/libclamav.so.3.0.3 havp 10096 squid mem REG 104,1 35494 161675 /lib/libnss_compat-2.5.so havp 10096 squid mem REG 104,1 131484 161710 /lib/ld-2.5.so havp 10096 squid 0w REG 104,5 43993 129866 /var/log/havp/error.log havp 10096 squid 1w REG 104,5 0 129858 /var/log/havp/access.log havp 10096 squid 2uw REG 104,6 1 114 /var/tmp/havp/havp-YQ0Cfv havp 10096 squid 3u IPv4 8897 TCP 127.0.0.1:8010 (LISTEN) havp 10096 squid 5w FIFO 0,5 9564560 pipe havp 10096 squid 6r FIFO 0,5 9564561 pipe Hope this may help someone to find an idea about this problem... Marc. |
Author: | hege [ 30 Sep 2008 17:34 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
What is the method you used for "switching off iptables"? |
Author: | marc78 [ 30 Sep 2008 19:30 ] |
Post subject: | Re: HAVP really slow while IPTables activated |
The first method was only to flush all rules (iptables -F), no success, the server still slows down. The second method was to remove rc.firewall from startup and restart the server (so no iptables modules were loaded), with this method this server acts like all other : good perf while browsing from clients. Marc. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |