I setup a SafeSquid Proxy, with URL filtering (just like astaro), and according to my test, Browsing with safesquid it twice faster than with Astaro, for example a page would take 3 sec to load took between 6 and 10 seconds to load with astaro. A 2 sec page took 4 sec with astaro. This is with a single user.
The wrose is this was with all security feature of the proxy turned OFF, (AV, URL filter etc)
I`ve also set my safesquid as a parent proxy for astaro to see what it does. Basically even if you turn off all Astaro proxy feature, it still make 1 connection to its CFFS server for each request that the proxy process.
Over a few minutes, Astaro make 7316 request to its CFFSXX.astaro.com server!!
Now, what happen if you block thoses. I blocked the cffs server in the squid proxy, and things only gets wrose.. Page are even slower to load when using the Astaro proxy because all its connection to cffs server time out.. (See log below)
Finally, my ping to my closest cffs is not bad, so imagine how bad this gets for user with very high ping to the best of the cffs server list.
My ping is currently reported at 85 in the proxy log, and about 40 when using ping.
So basically, I believe there is a great area for improvement there.
1) Why does Astaro still look for categoriezation even if all Feature of the proxy are turned off (including all URL filter), even if a host is white listed ???????????? This makes no sense to me
2) Why are the categorization not cached for some time? Currently it seem that 1Request = 1CFFS Request
3) Local replication would definatly be lightning fast, but probably have issues assosiated with.
This is what happen when you block all cffs(even if URL filtering if OFF), and start using the proxy:
2010:09:20-20:15:21 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xf1850878" function="sc_categorize_url" file="scr_scanner.c" line="941" message="no categorization received for url: www.nationalpost.com/.../btn-next.gif"
2010:09:20-20:15:21 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_decrypt" file="scr_scanner.c" line="438" message="EVP_DecryptFinal failed"
2010:09:20-20:15:21 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_server_cmd" file="scr_scanner.c" line="631" message="cffs04.astaro.com: decrypt failed"
2010:09:20-20:15:21 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd735ae00" function="sc_categorize_url" file="scr_scanner.c" line="941" message="no categorization received for url: www.nationalpost.com/.../comments-logo.gif"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_decrypt" file="scr_scanner.c" line="438" message="EVP_DecryptFinal failed"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_server_cmd" file="scr_scanner.c" line="631" message="cffs03.astaro.com: decrypt failed"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_decrypt" file="scr_scanner.c" line="438" message="EVP_DecryptFinal failed"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_server_cmd" file="scr_scanner.c" line="631" message="cffs07.astaro.com: decrypt failed"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_decrypt" file="scr_scanner.c" line="438" message="EVP_DecryptFinal failed"
2010:09:20-20:15:22 plasmashield httpproxy[651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_server_cmd" file="scr_scanner.c" line="631" message="cffs06.astaro.com: decrypt failed"
So it does look for categorization even if it's not necessary.
Thoses who care about this, should speak: http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/178336-websecurity-local-content-filter-database?ref=title
This thread was automatically locked due to age.
