[squid-users] Re: Strange Kerberos authentication behavior (very high load, very slow response) from Markus Moeller on 2010-08-02 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 2 Aug 2010 20:12:18 +0100

Can you try to disable the replay cache as described here and let me know
the load please ?

Thank you
Markus

"Billie Joe" <billiegdjoe_at_gmail.com> wrote in message
news:AANLkTi=ZU4Qs-rBjxDeuvyYQbokxJ0j1Aw+fx+EpMQQc_at_mail.gmail.com...
> Hi Folks,
>
>
> Here it is:
>
>
> Hardware specs:
>
> HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01
>
> SO specs:
>
> Centos 5.5 X86-64 - 2.6.18-194.8.1.el5
> Windows Server 2003 R2 (AD)
>
> Packages:
>
> squid-2.6.STABLE21-6.el5
> krb5-libs-1.6.1-36.el5_5.5
> pam_krb5-2.2.14-15
> pam_krb5-2.2.14-15
> krb5-libs-1.6.1-36.el5_5.5
> krb5-workstation-1.6.1-36.el5_5.5
>
> squid.conf:
>
> visible_hostname hostname.domain
>
> http_port 3128
> icp_port 3130
>
> hierarchy_stoplist cgi-bin ?
>
> ### no auth
> acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth"
> acl Servidores src "/opt/catfish/etc/rules/src/Servidores"
> http_access allow Servidores RepoNoauth
>
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
> HTTP/hostname.domain
> auth_param negotiate children 1500
> auth_param negotiate keep_alive on
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> authenticate_ttl 12 hours
> auth_param ntlm keep_alive on
>
> auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Cluster Proxy
> auth_param basic credentialsttl 2 hours
>
> negative_ttl 10 seconds
>
> cache_store_log none
>
> max_filedesc 32768
>
> cache_swap_high 96
>
> strip_query_terms off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl QUERY urlpath_regex cgi-bin \?
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488
> 563 591 777 800-65535
> acl CONNECT method CONNECT
> acl HEAD method HEAD
>
> ### alterado
> acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443
> 488 563 591 777 800-65535
> acl all src 0.0.0.0-255.255.255.255
> acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255
> acl allUsuariosNegados src 0.0.0.0-255.255.255.255
> acl snmppublic snmp_community public
> acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24
>
> delay_pools 3
> ### alguns sites lentos
> ### gnutela
> acl portaslentas port 6346 1214
> delay_class 1 1
> delay_access 1 allow portaslentas
> delay_parameters 1 666/666
>
> ### filmes
> acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes"
> acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov
> delay_class 2 2
> delay_access 2 allow sitesdefilme
> delay_parameters 2 -1/-1 10000/10000 5000/5000
>
> ### Toledo
> acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov
> acl rangetoledo src 10.194.0.0-10.194.255.255
> delay_class 3 1
> delay_access 3 allow filmesemusicas rangetoledo
> delay_parameters 3 666/666
>
> # expanions ilha consulta
> acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion"
> acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion"
> http_access allow IPExpanion Expanion
> http_access deny all IPExpanion
>
> # sites com acesso permitido sem autenticar
> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
> http_access allow all SitesNoauth
> always_direct allow SitesNoauth
> http_access allow HEAD SitesNoauth
>
> # skype liberar
> acl skype_port port 443
> acl connect_skype method CONNECT
> acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
> http_access allow LiberarSkype skype_port connect_skype
>
> # acl's para logins
> acl Todos proxy_auth REQUIRED
> acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free"
> acl freeip src "/opt/catfish/etc/auth/rules/freeip"
> acl LiberarIMsauth proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
>
> ### bagre acls
> acl UsuariosBloquearIMs proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosBloquearIMs"
> acl UsuariosLiberarIMs proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
> acl IPAcessoDefinidoNegado src
> "/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado"
> acl IPAcessoDefinidoHorarioDeAlmoco src
> "/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco"
> acl IPAcessoDefinidoLiberado src
> "/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado"
> acl UsuariosNegados proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosNegados"
> acl UsuariosHorarioDeAlmoco proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco"
> acl UsuariosLiberados proxy_auth_regex
> "/opt/catfish/etc/rules/src/UsuariosLiberados"
> acl IPAcessoPadraoHorarioDeAlmoco src
> "/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco"
> acl IPAcessoPadraoLiberado src
> "/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado"
> acl IPAcessoPadraoNegado src
> "/opt/catfish/etc/rules/src/IPAcessoPadraoNegado"
> acl InstantMessengersAllow url_regex
> "/opt/catfish/etc/rules/url_regex/InstantMessengersAllow"
> acl InstantMessengers url_regex
> "/opt/catfish/etc/rules/url_regex/InstantMessengers"
> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
> acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
> acl IPAcessoBloquearIMs src
> "/opt/catfish/etc/rules/src/IPAcessoBloquearIMs"
> acl SitesBloqueados url_regex
> "/opt/catfish/etc/rules/url_regex/SitesBloqueados"
> acl SitesPermitidos url_regex
> "/opt/catfish/etc/rules/url_regex/SitesPermitidos"
> acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco"
> acl LiberarEnderecosInternos src
> "/opt/catfish/etc/rules/src/LiberarEnderecosInternos"
> ### /bagre acls
>
> # acl's para sites
> acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna"
> acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes"
>
> # malware block list
> acl malware_block_list url_regex -i
> "/opt/catfish/etc/rules/url_regex/malware_block_list.txt"
>
> no_cache deny QUERY
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> ###alterado
> snmp_access allow snmppublic localhost
> snmp_access allow snmppublic gerenciador
> snmp_access deny all
> snmp_port 3420
> snmp_incoming_address 0.0.0.0
> snmp_outgoing_address 0.0.0.0
>
> http_access allow Todos Excessoes free
> http_access allow Excessoes freeip
> http_access allow LiberarIMsauth InstantMessengersAllow
> http_access deny malware_block_list
>
> ### bagre rules
> http_access allow UsuariosLiberarIMs InstantMessengersAllow
> http_access deny UsuariosBloquearIMs InstantMessengers
> http_access allow IPAcessoLiberarIMs InstantMessengersAllow
> http_access deny IPAcessoBloquearIMs InstantMessengers
> http_access deny SitesBloqueados
> http_access allow SitesPermitidos
> http_access deny IPAcessoDefinidoNegado
> http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco
> http_access deny IPAcessoDefinidoHorarioDeAlmoco
> http_access allow IPAcessoDefinidoLiberado
> http_access deny UsuariosNegados allUsuariosNegados
> http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco
> http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco
> http_access allow UsuariosLiberados
> http_access allow IPAcessoPadraoLiberado
> http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco
> http_access deny IPAcessoPadraoHorarioDeAlmoco
> http_access deny IPAcessoPadraoNegado
> http_access allow LiberarEnderecosInternos
> ### /bagre rules
> deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco
> IPAcessoPadraoHorarioDeAlmoco
> deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco
> deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados
> deny_info MALWARE malware_block_list
>
> http_reply_access allow all
> icp_access allow all
>
> cache_effective_user squid
>
> cache_mgr cachemgr_at_mydomain.com
> maximum_object_size 4096 KB
>
> access_log /var/log/squid/access.log squid
> logfile_rotate 5
>
> error_directory /usr/share/squid/errors/Myerrors
>
> cache_dir ufs /var/spool/squid 4096 16 256
>
> cache_mem 4096 MB
>
> half_closed_clients off
>
> cache deny all
>
> Problem:
>
> Everything works fine, except because the load of system gets 1000 and
> keeps increasing when using Kerberos authentication which results in a
> slow response from proxy server to users. When using only ntlm
> authentication (commented the line of Kerberos authentication), the
> load is no more than 2, which results in a fast response of proxy
>server to users. CPU utilization is always low. No swap utilization by
> kernel. In my environment test, with 20 users I always get fast
> responses. The problem occurs when I put the server in production.
> What is happening with Kerberos authentication ?
>
> --
>
>
> "Computers are like air-conditioners.
> They stop working when you open Windows."
> BillieGDJoe
>
Received on Mon Aug 02 2010 - 19:12:37 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 03 2010 - 12:00:02 MDT