URL filtering and squid performance

squid

We are using squid web cache transparent proxy in our company and we usually have 450 users browsing during peak hours. We get lists of URLs (upto even 1600 URLs per list) from the national telecom authority for blocking. We block them using Squid ACL with a black list file but we experience significant performance degradation as soon as we apply the ACL in squid.conf. What is the remedy of this problem? How can we block such huge number of URLs?.

Best Answer

Whenever the Squid configuration is reloaded, everything Squid does is paused.

I suggest to use ufdbGuard, a free URL filter for Squid. When ufdbGuard reloads the URL database there is no negative effect for Squid or users browsing. One can download ufdbGuard from SourceForge and URLfilterDB.

Related Solutions

How To Enable URL Filtering With Just Squid & C-ICAP

I'm trying to do the same. I got success configuring c-icap to block a request.

Your srv_url_check.conf seems to be incomplete. Mine is configured as follows:

Service urlcheck /usr/lib/x86_64-linux-gnu/c_icap/srv_url_check.so
url_check.LookupTableDB denyhosts url hash:/etc/c-icap/denyhosts.txt "Denied Host"
url_check.Profile denyProfile block denyhosts
url_check.ProfileAccess denyProfile all

The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:

mp3.com.au
xvideos.com
sex.com

And finally, you should uncomment line acl all src 0.0.0.0/0.0.0.0 into c-icap.conf.

Start your c-icap server like /usr/bin/c-icap -D -N -d 1 (adjust the log level (-d) as you wish) and test it using /usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1.

As a response, you will receive:

ICAP HEADERS:
    ICAP/1.0 200 OK
    Server: C-ICAP/0.4.2
    Connection: keep-alive
    ISTag: CI0001-XXXXXXXXX
    X-ICAP-Profile: denyProfile
    X-Attribute: denyhosts
    X-Attribute-Prefix: 7
    X-Response-Info: BLOCKED
    X-Response-Desc: URL category denyhosts is BLOCKED
    Encapsulated: res-hdr=0, res-body=108

RESPMOD HEADERS:
    HTTP/1.0 403 Forbidden
    Server: C-ICAP
    Content-Type: text/html
    Connection: close
    Content-Language: en

This is what I did so far...

URL filtering HTTPS traffic

By the time the https traffic arrives at the transparent proxy there's only the IP "visible": not enough information to recreate the connect request and proxy it.

When you set a proxy in your browser (manually, or by proxy.pac) the browser knows to send more info to the proxy about what it wants.

Some proxies can use SNI information to transparently proxy a majority of SSL traffic - and then either domain filter it (from the sni info) or MITM it and do a full filtering job. I work for a supplier of one such filter - Smoothwall (who also employ dansguardian Dan).

Best Answer

Related Solutions

How To Enable URL Filtering With Just Squid & C-ICAP

URL filtering HTTPS traffic

Related Topic