Re: [squid-users] Squid + ICAP + ClamAV so slow from Luis Daniel Lucio Quiroz on 2011-10-18 (squid-users)

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Tue, 18 Oct 2011 11:50:22 -0500

2011/10/18 Christian Gregoire <cgregoir99_at_yahoo.com>:
> Hello,
>
> I've configured Squid to filter HTTP trafic with ClamAV using ICAP. And the result is pretty bad : loading a simple page takes ages. When I disable ICAP in squid.conf, all is fine.
>
> Can someone share his/her configuration with me so that I can compare both ?
>
>
>
> Here is the Squid 3.1.9's ICAP configuration
>
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
> adaptation_access service_resp allow all
>
> Here is C-ICAP config file :
>
> PidFile /var/run/c-icap/c-icap.pid
> CommandsSocket /var/run/c-icap/c-icap.ctl
> Timeout 300
> MaxKeepAliveRequests 100
> KeepAliveTimeout 600
> StartServers 3
> MaxServers 10
> MinSpareThreads 10
> MaxSpareThreads 20
> ThreadsPerChild 10
> MaxRequestsPerChild 0
> Port 1344
> ServerAdmin you_at_your.address
> ServerName YourServerName
> TmpDir /var/tmp
> MaxMemObject 131072
> DebugLevel 1
> ModulesDir /usr/local/c_icap/lib/c_icap
> ServicesDir /usr/local/c_icap/lib/c_icap
> TemplateDir /usr/local/c_icap/share/c_icap/templates/
> TemplateDefaultLanguage en
> LoadMagicFile /usr/local/c_icap/etc/c-icap.magic
> RemoteProxyUsers off
> RemoteProxyUserHeader X-Authenticated-User
> RemoteProxyUserHeaderEncoded on
> ServerLog /servers/icap/logs/server.log
> AccessLog /servers/icap/logs/access.log
> Module logger sys_logger.so
> Logger sys_logger
> Service squidclamav squidclamav.so
> ServiceAlias avscan squidclamav?allow204=on&sizelimit=off&mode=simple
> Service echo srv_echo.so
> sys_logger.Facility local7
>
> Thanks
>
> Christian
>

A fast reading of your configuration can show that you ae PASSING
ALLto the icap. And of course this will slow, pass only objects you
need to verify for virii. Only exe, some html, dont pass JPG,GIF,PNG.

You also need to improve you cache performance to trust that cached
objects are clean

LD
http://www.twitter.com/ldlq
Received on Tue Oct 18 2011 - 16:50:31 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 18 2011 - 12:00:04 MDT