Squid ограничения https канала

@asql · Регистрация: 03.06.2014

Author24 — интернет-сервис помощи студентам

Добрый день,
Собрал squid из исходников с боддержкой ssl и долго настраивал его на "обнаружение" сайтов по https протоколу...
Пришло время ограничения трафика и тут мне влетело бревно в колесо, которое я так и не смог высунуть)
Все сайты и закачки (все что касается http трафика) ограничивается, НО только не трафик с https!
Захожу на 2ip или яндекс интернет - скорость по максу, качаю файл с https сайта - по максу!

Как ограничить скорость закачки/скачки с https?
может я что то делаю не так или может есть аналог delay_parameters но только для https?

итак:
uname -a
Linux server 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_grou p,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

openssl version
LibreSSL 2.1.6

squid.conf
acl speed_unlim src "/etc/squid/config/speed_unlim"
acl speed_1m src "/etc/squid/config/speed_1m"

acl block_site dstdom_regex -i "/etc/squid/config/block_sites"

http_port 3130
http_port 192.168.1.1:3128 intercept
https_port 192.168.1.1:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem
dns_nameservers 8.8.8.8

acl local src 192.168.1.0/24
acl CONNECT method CONNECT

delay_pools 3
delay_class 1 1
delay_class 2 1
delay_class 3 1
delay_access 1 allow speed_unlim
delay_access 1 deny all
delay_access 2 allow speed_1m
delay_access 2 deny all
delay_access 3 allow !speed_unlim
delay_access 3 allow !speed_1m
delay_access 3 deny all
delay_parameters 1 -1/-1
delay_parameters 2 128000/128000
delay_parameters 3 0/0

acl SSL_ports port 443
acl SSL_ports port 22 # ssh
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access deny block_site
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow local
http_access deny all

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl denied_urls_ssl ssl::server_name_regex "/etc/squid/config/block_sites"

ssl_bump peek all
ssl_bump terminate denied_urls_ssl
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

# Закрывать наполовину закрытые соединения
half_closed_clients off

coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 10240 16 256
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4

maximum_object_size 10240 KB

refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.bz2$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern -i \.ico$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

@asql 76 / 77 / 40 Регистрация: 03.06.2014 Сообщений: 463
		1
	Squid ограничения https канала 17.11.2017, 15:24. Показов 794. Ответов 0 Метки нет (Все метки) Добрый день, Собрал squid из исходников с боддержкой ssl и долго настраивал его на "обнаружение" сайтов по https протоколу... Пришло время ограничения трафика и тут мне влетело бревно в колесо, которое я так и не смог высунуть) Все сайты и закачки (все что касается http трафика) ограничивается, НО только не трафик с https! Захожу на 2ip или яндекс интернет - скорость по максу, качаю файл с https сайта - по максу! Как ограничить скорость закачки/скачки с https? может я что то делаю не так или может есть аналог delay_parameters но только для https? итак: uname -a Linux server 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux squid -v Squid Cache: Version 3.5.12 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_grou p,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' openssl version LibreSSL 2.1.6 squid.conf acl speed_unlim src "/etc/squid/config/speed_unlim" acl speed_1m src "/etc/squid/config/speed_1m" acl block_site dstdom_regex -i "/etc/squid/config/block_sites" http_port 3130 http_port 192.168.1.1:3128 intercept https_port 192.168.1.1:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem dns_nameservers 8.8.8.8 acl local src 192.168.1.0/24 acl CONNECT method CONNECT delay_pools 3 delay_class 1 1 delay_class 2 1 delay_class 3 1 delay_access 1 allow speed_unlim delay_access 1 deny all delay_access 2 allow speed_1m delay_access 2 deny all delay_access 3 allow !speed_unlim delay_access 3 allow !speed_1m delay_access 3 deny all delay_parameters 1 -1/-1 delay_parameters 2 128000/128000 delay_parameters 3 0/0 acl SSL_ports port 443 acl SSL_ports port 22 # ssh acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ssh acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny block_site http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow local http_access deny all always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl denied_urls_ssl ssl::server_name_regex "/etc/squid/config/block_sites" ssl_bump peek all ssl_bump terminate denied_urls_ssl ssl_bump splice all sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB # Закрывать наполовину закрытые соединения half_closed_clients off coredump_dir /var/spool/squid cache_dir ufs /var/spool/squid 10240 16 256 cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 512 KB memory_replacement_policy lru logfile_rotate 4 maximum_object_size 10240 KB refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.bz2$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern -i \.ico$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0 refresh_pattern (Release\|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 0

	17.11.2017, 15:24