Re: [squid-users] Re: Strange Kerberos authentication behavior (very high load, very slow response) from Billie Joe on 2010-08-02 (squid-users)

From: Billie Joe <billiegdjoe_at_gmail.com>
Date: Mon, 2 Aug 2010 17:13:48 -0300

Thanks for reply !

Half hour after I posted here I found the solution. Was the replay
cache. Disable it and everything works fine. The load now is about 1
or less.

BillieGDJoe

2010/8/2 Markus Moeller <huaraz_at_moeller.plus.com>:
> Can you try to disable the replay cache as described here and let me know
> the load please ?
>
> Thank you
> Markus
>
> "Billie Joe" <billiegdjoe_at_gmail.com> wrote in message
> news:AANLkTi=ZU4Qs-rBjxDeuvyYQbokxJ0j1Aw+fx+EpMQQc_at_mail.gmail.com...
>>
>> Hi Folks,
>>
>>
>> Here it is:
>>
>>
>> Hardware specs:
>>
>> HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01
>>
>> SO specs:
>>
>> Centos 5.5 X86-64 - 2.6.18-194.8.1.el5
>> Windows Server 2003 R2 (AD)
>>
>> Packages:
>>
>> squid-2.6.STABLE21-6.el5
>> krb5-libs-1.6.1-36.el5_5.5
>> pam_krb5-2.2.14-15
>> pam_krb5-2.2.14-15
>> krb5-libs-1.6.1-36.el5_5.5
>> krb5-workstation-1.6.1-36.el5_5.5
>>
>> squid.conf:
>>
>> visible_hostname hostname.domain
>>
>> http_port 3128
>> icp_port 3130
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> ### no auth
>> acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth"
>> acl Servidores src "/opt/catfish/etc/rules/src/Servidores"
>> http_access allow Servidores RepoNoauth
>>
>> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
>> HTTP/hostname.domain
>> auth_param negotiate children 1500
>> auth_param negotiate keep_alive on
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 50
>> authenticate_ttl 12 hours
>> auth_param ntlm keep_alive on
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Cluster Proxy
>> auth_param basic credentialsttl 2 hours
>>
>> negative_ttl 10 seconds
>>
>> cache_store_log none
>>
>> max_filedesc 32768
>>
>> cache_swap_high 96
>>
>> strip_query_terms off
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl QUERY urlpath_regex cgi-bin \?
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488
>> 563 591 777 800-65535
>> acl CONNECT method CONNECT
>> acl HEAD method HEAD
>>
>> ### alterado
>> acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443
>> 488 563 591 777 800-65535
>> acl all src 0.0.0.0-255.255.255.255
>> acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255
>> acl allUsuariosNegados src 0.0.0.0-255.255.255.255
>> acl snmppublic snmp_community public
>> acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24
>>
>> delay_pools 3
>> ### alguns sites lentos
>> ### gnutela
>> acl portaslentas port 6346 1214
>> delay_class 1 1
>> delay_access 1 allow portaslentas
>> delay_parameters 1 666/666
>>
>> ### filmes
>> acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes"
>> acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov
>> delay_class 2 2
>> delay_access 2 allow sitesdefilme
>> delay_parameters 2 -1/-1 10000/10000 5000/5000
>>
>> ### Toledo
>> acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov
>> acl rangetoledo src 10.194.0.0-10.194.255.255
>> delay_class 3 1
>> delay_access 3 allow filmesemusicas rangetoledo
>> delay_parameters 3 666/666
>>
>> # expanions ilha consulta
>> acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion"
>> acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion"
>> http_access allow IPExpanion Expanion
>> http_access deny all IPExpanion
>>
>> # sites com acesso permitido sem autenticar
>> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
>> http_access allow all SitesNoauth
>> always_direct allow SitesNoauth
>> http_access allow HEAD SitesNoauth
>>
>> # skype liberar
>> acl skype_port port 443
>> acl connect_skype method CONNECT
>> acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
>> http_access allow LiberarSkype skype_port connect_skype
>>
>> # acl's para logins
>> acl Todos proxy_auth REQUIRED
>> acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free"
>> acl freeip src "/opt/catfish/etc/auth/rules/freeip"
>> acl LiberarIMsauth proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
>>
>> ### bagre acls
>> acl UsuariosBloquearIMs proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosBloquearIMs"
>> acl UsuariosLiberarIMs proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
>> acl IPAcessoDefinidoNegado src
>> "/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado"
>> acl IPAcessoDefinidoHorarioDeAlmoco src
>> "/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco"
>> acl IPAcessoDefinidoLiberado src
>> "/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado"
>> acl UsuariosNegados proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosNegados"
>> acl UsuariosHorarioDeAlmoco proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco"
>> acl UsuariosLiberados proxy_auth_regex
>> "/opt/catfish/etc/rules/src/UsuariosLiberados"
>> acl IPAcessoPadraoHorarioDeAlmoco src
>> "/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco"
>> acl IPAcessoPadraoLiberado src
>> "/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado"
>> acl IPAcessoPadraoNegado src
>> "/opt/catfish/etc/rules/src/IPAcessoPadraoNegado"
>> acl InstantMessengersAllow url_regex
>> "/opt/catfish/etc/rules/url_regex/InstantMessengersAllow"
>> acl InstantMessengers url_regex
>> "/opt/catfish/etc/rules/url_regex/InstantMessengers"
>> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
>> acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
>> acl IPAcessoBloquearIMs src
>> "/opt/catfish/etc/rules/src/IPAcessoBloquearIMs"
>> acl SitesBloqueados url_regex
>> "/opt/catfish/etc/rules/url_regex/SitesBloqueados"
>> acl SitesPermitidos url_regex
>> "/opt/catfish/etc/rules/url_regex/SitesPermitidos"
>> acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco"
>> acl LiberarEnderecosInternos src
>> "/opt/catfish/etc/rules/src/LiberarEnderecosInternos"
>> ### /bagre acls
>>
>> # acl's para sites
>> acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna"
>> acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes"
>>
>> # malware block list
>> acl malware_block_list url_regex -i
>> "/opt/catfish/etc/rules/url_regex/malware_block_list.txt"
>>
>> no_cache deny QUERY
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> ###alterado
>> snmp_access allow snmppublic localhost
>> snmp_access allow snmppublic gerenciador
>> snmp_access deny all
>> snmp_port 3420
>> snmp_incoming_address 0.0.0.0
>> snmp_outgoing_address 0.0.0.0
>>
>> http_access allow Todos Excessoes free
>> http_access allow Excessoes freeip
>> http_access allow LiberarIMsauth InstantMessengersAllow
>> http_access deny malware_block_list
>>
>> ### bagre rules
>> http_access allow UsuariosLiberarIMs InstantMessengersAllow
>> http_access deny UsuariosBloquearIMs InstantMessengers
>> http_access allow IPAcessoLiberarIMs InstantMessengersAllow
>> http_access deny IPAcessoBloquearIMs InstantMessengers
>> http_access deny SitesBloqueados
>> http_access allow SitesPermitidos
>> http_access deny IPAcessoDefinidoNegado
>> http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco
>> http_access deny IPAcessoDefinidoHorarioDeAlmoco
>> http_access allow IPAcessoDefinidoLiberado
>> http_access deny UsuariosNegados allUsuariosNegados
>> http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco
>> http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco
>> http_access allow UsuariosLiberados
>> http_access allow IPAcessoPadraoLiberado
>> http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco
>> http_access deny IPAcessoPadraoHorarioDeAlmoco
>> http_access deny IPAcessoPadraoNegado
>> http_access allow LiberarEnderecosInternos
>> ### /bagre rules
>> deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco
>> IPAcessoPadraoHorarioDeAlmoco
>> deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco
>> deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados
>> deny_info MALWARE malware_block_list
>>
>> http_reply_access allow all
>> icp_access allow all
>>
>> cache_effective_user squid
>>
>> cache_mgr cachemgr_at_mydomain.com
>> maximum_object_size 4096 KB
>>
>> access_log /var/log/squid/access.log squid
>> logfile_rotate 5
>>
>> error_directory /usr/share/squid/errors/Myerrors
>>
>> cache_dir ufs /var/spool/squid 4096 16 256
>>
>> cache_mem 4096 MB
>>
>> half_closed_clients off
>>
>> cache deny all
>>
>> Problem:
>>
>> Everything works fine, except because the load of system gets 1000 and
>> keeps increasing when using Kerberos authentication which results in a
>> slow response from proxy server to users. When using only ntlm
>> authentication (commented the line of Kerberos authentication), the
>> load is no more than 2, which results in a fast response of proxy
>> server to users. CPU utilization is always low. No swap utilization by
>> kernel. In my environment test, with 20 users I always get fast
>> responses. The problem occurs when I put the server in production.
>> What is happening with Kerberos authentication ?
>>
>> --
>>
>>
>> "Computers are like air-conditioners.
>> They stop working when you open Windows."
>> BillieGDJoe
>>
>
>
>

-- 
"Computers are like air-conditioners.
They stop working when you open Windows."
BillieGDJoe

Received on Mon Aug 02 2010 - 20:13:51 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 03 2010 - 12:00:02 MDT