Answer the question
In order to leave comments, you need to log in
How to see in SQUID who is loading the server and the channel?
There is a proxy server on SQUID, is not an endpoint on the network, the input and output are the same interface.
If you watch the traffic, there is a wild loading of the channel during working hours, because of the proxy it is not clear who hangs it up. How to find the offender? We associate the situation with the downloads of Windows 10 updates, but not a fact. What you should pay attention to?
If you look at the FireWall, then there are no clients who would load the network. As if someone sent a request to Proxy, and he began to download everything for himself, and not give it to anyone further.
On the switches there is no such greater traffic from clients, a maximum of 5-6 megabits, and even then rarely, but here it is stable up to 50 megabits, with an Internet channel of 45. I am attaching screenshots.
And what is 88.221.132.80??? What is the proxy downloading from there, who asks for it ?!
88.221.132.80, in general, some kind of strange web server.
Config:
#ACL WORK TIME
acl worktime time MTWHFA 08:30-22:30
#ACL Resources
acl bad_domains dstdomain "/etc/squid/block_domains.acl"
acl white_domains dstdomain "/etc/squid/white_domains.acl"
acl white_domains2 dstdomain "/etc/squid/white_domains2.acl"
acl block_extensions url_regex -i "/etc/squid/block_extensions.acl"
acl bad_url url_regex -i "/etc/squid/bad_url.acl"
#acl bad_mime rep_mime_type -i "/etc/squid/mime_type.acl"
acl wupdates url_regex -i "/etc/squid/wupdates.acl"
acl no_cache dstdomain "/etc/squid/nocache_domain.acl"
#ACL WINDOWS UPDATES
acl windowsupdate dstdomain "/etc/squid/wdomainupdates.acl"
#ACL Groups IP
acl managers src "/etc/squid/inet_users.acl"
acl sec_users src "/etc/squid/sec_users.acl"
acl sec_users2 src "/etc/squid/sec_users2.acl"
dns_nameservers 77.88.8.7 77.88.8.3 192.168.77.1
#ACL SYSTEMS
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 22 # webinars
acl Safe_ports port 757
acl Safe_ports port 3306 # webinars
acl Safe_ports port 4444 # webinars
acl Safe_ports port 4567 # webinars
acl Safe_ports port 8080 # webinars
acl Safe_ports port 8081 # webinars
acl Safe_ports port 8089 # webinars
acl Safe_ports port 8090 # webinars
acl Safe_ports port 8443 # webinars
acl Safe_ports port 8888 # webinars
acl Safe_ports port 9091 # webinars
acl Safe_ports port 1935 # Test
acl Safe_ports port 4343 # Test
acl Safe_ports port 4344 # Test
acl Safe_ports port 9443 # Test
acl Safe_ports port 17734 # Test
acl Safe_ports port 29980 # Test
acl Safe_ports port 2042 #mail agent
acl Safe_ports port 4244 # whatsapp
acl Safe_ports port 5222 # whatsapp
acl Safe_ports port 5223 # whatsapp
acl Safe_ports port 5228 # whatsapp
acl Safe_ports port 5242 # whatsapp
acl Safe_ports port 50318 # whatsapp
acl Safe_ports port 59234 # whatsapp
acl CONNECT method CONNECT
#HTTP ACCESS Windows UPDATE
http_access allow wupdates
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT managers
http_access allow windowsupdate managers
http_access allow CONNECT wuCONNECT sec_users
http_access allow windowsupdate sec_users
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localhost
#HTTP ACCESS
http_access deny managers bad_domains
http_access deny managers block_extensions
#http_access deny managers bad_mime
http_access deny managers bad_url
#http_reply_access deny managers bad_mime
http_access allow sec_users white_domains
http_access allow sec_users2 white_domains2
http_access deny sec_users
http_access deny sec_users2
http_access deny managers !worktime
http_access allow managers
#HTTP CONF ACCESS
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
# CONFIG SYSTEM
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#### CACHE DENY (NOCACHE)#####
cache deny no_cache
##############################
#cache_dir aufs /var/spool/squid 500 49 256
cache_dir aufs /var/spool/squid 40000 16 256
cache_mem 200 MB
range_offset_limit 200 MB windowsupdate
maximum_object_size 200 MB
quick_abort_min -1
# MEM
maximum_object_size_in_memory 1024 KB
memory_replacement_policy lru
# LOG
logfile_rotate 10
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
memory_pools off
cache_mgr [email protected]
# Cache ads #
#######################
refresh_pattern http://ad\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://ads\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://adv\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://click\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://count\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://counter\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://engine\. 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://img\.readme\.ru 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern http://userpic\.livejournal\.com 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.ru/bf-analyze 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.ru/bf-si 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern /advs/ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern /banners/ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern /cgi-bin/iframe/ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
Answer the question
In order to leave comments, you need to log in
sarg
squidguard
and other log analyzers...
You can also look through the manager's interface.
In general, you are at the dock.
Parse squid logs. SARG, SAMS and other log analyzers. They say that ELK can be configured to parse the squid log.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question