BlueCoat ProxySG性能问题分析--ICAP排队现象

问题情况

　　用户同时部署了ProxySG正向代理和CAS防病毒网关，在开启防病毒网关后发现用户上网出现明显卡顿，而关闭防病毒网关后恢复正常

原因解释

　　CAS的病毒扫描与防火墙等安全设备不同，防火墙这种串在网络中的病毒扫描设备使用的是基于流的扫描，它会将数据包持续给到客户端，一旦在Payload中检查到有恶意字节，将终止数据传输，而基于代理服务器的防病毒网络使用的则是基于文件对象的扫描，需要先由代理服务器将文件对象完整下载下来后再交由防病毒网关处理，所以，对于小文件的下载，用户可能没有感知，但对于大文件的下载，用户会明显感受到浏览器没有反应，因为代理服务器还没将对象完整下载下来。

　　上图是在ProxySG上看到的ICAP排队现象，就是由于所有文件都会经过CAS扫描，ICAP连接数全被用光，所以会出现排队现象。

上图是一个正常的ICAP队列情况，没有排队现象，用户不会感受到缓慢

解决思路

　　安全和用户体验一直是鱼和熊掌的关系，需要有一个trade off的考虑，基于文件对象的扫描相比基于流的扫描更加安全，因为在文件被确认干净之前是不会有任何数据包达到客户端的，但用户的体验也要兼顾，所以需要在代理服务器上部署ICAP优化策略，减少文件扫描对象，释放紧张的ICAP连接资源。
　　BlueCoat官方提供的优化策略在”CAS and SG integration Guide”中有提到，但我认为还不够精简高效，以下是我自己在官方优化策略基础上做的优化策略，已在多个实施案例中使用，一方面减少了CPL代码量，另一方面充分利用了ICAP连接

define condition StreamAppUA  request.header.user-agent="^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Win32\)$"  request.header.user-agent="Java\/1\."end condition StreamAppUAdefine condition StreamingJavaApp  url.scheme=http condition=StreamAppUAend condition StreamingJavaAppdefine condition NO_TO_LARGE_CONTENT_LENGTH;        response.header.Content-Length=!".*"         response.header.Content-Length=!"^[0-9]{1,7}$"  ; catch content-lengths greater than 9999999 bytes.  Can +/- as          response.header.Content-Length=!"";        response.header.Content-Length="[0-9]{10}|[0-9]{9}|[0-9]{8}|[2-9][0-9]{6}"  ; > 2M;        response.header.Content-Length="[0-9]{8,10}|[2-9][0-9]{6}"  ;  > 2Mend condition NO_TO_LARGE_CONTENT_LENGTHdefine condition MEDIA_MIME_TYPES        response.header.Content-Type="video/"  ; Additional mime-types can be added to this condition        response.header.Content-Type="application/streamingmedia"        response.header.Content-Type="application/x-streamingmedia"        response.header.Content-Type="application/vnd.rn"        response.header.Content-Type="application/ogg"        response.header.Content-Type="application/x-ogg"        response.header.Content-Type="audio/"        response.header.Content-Type="multipart/x-mixed-replace"  ; Catch webcams that send streams of images as multipart/x-mixed-replace type.        response.header.Content-Type="application/octet-stream"        response.header.Content-Type="application/x-shockwave-flash";       response.header.Content-Type="image/"   ; option add end condition MEDIA_MIME_TYPESdefine condition MisBehaving_Old_UserAgents   request.header.User-Agent="Winamp"   request.header.User-Agent="NSPlayer"   request.header.User-Agent="RMA"   request.header.User-Agent="ultravox"   request.header.User-Agent="itunes"   request.header.User-Agent="forest"   request.header.User-Agent="Scottrader"   request.header.User-Agent="SVN"end condition MisBehaving_Old_UserAgentsdefine condition HTTPv0.9_UserAgents   http.response.version=0.9 condition=MisBehaving_Old_UserAgentsend condition HTTPv0.9_UserAgentsdefine condition Not_ICAP_response;note- the following line is correct- do NOT add .* between quotes   response.x_header.X-Virus-ID=!"" ;true if X-Virus-ID header is not presentend condition Not_ICAP_responsedefine condition NOICAP;Negate ICAP service only if the OCS response is undesirable    condition=HTTPv0.9_UserAgents condition=Not_ICAP_responseend condition NOICAP<Proxy>    condition=StreamingJavaApp  bypass_cache(yes)<Cache>     url.domain="kaspersky-labs.com" response.icap_service(no)    url.domain="bluecoat.com" response.icap_service(no)    url.domain="symantec.com" response.icap_service(no)    url.domain="ositis.com" response.icap_service(no)    url.domain="c.microsoft.com" response.icap_service(no)    url.domain="download.microsoft.com" response.icap_service(no)    url.domain="update.microsoft.com" response.icap_service(no)    url.domain="windowsupdate.com" response.icap_service(no)    url.domain="windowsupdate.microsoft.com" response.icap_service(no)    url.scheme=http condition=MEDIA_MIME_TYPES response.icap_service(no)    url.scheme=https condition=MEDIA_MIME_TYPES response.icap_service(no)    url.scheme=http condition=NO_TO_LARGE_CONTENT_LENGTH response.icap_service(no)    url.scheme=https condition=NO_TO_LARGE_CONTENT_LENGTH response.icap_service(no)    condition=StreamingJavaApp  response.icap_service(no)    condition=NOICAP response.icap_service(no)<cache>    delete_on_abandonment(yes)