Re: [squid-users] Squid with Kerberos auth

Amos,

so what could be causing so much load on cpu? When I run top i can see
there's no swap and the squid_kerb_auth is the process that causes
this high CPU usage. Is there any way i can check this helper? Here,
down low, is my squid.conf. I hope you point some light because i
don't believe squid runs in so such poor speed.

auth_param negotiate program
/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
 -s HTTP/trotsky.redecamara.camara.gov.br
auth_param negotiate children 4
auth_param negotiate keep_alive on

# ACLs externas para buscar grupo baseado em Kerberos.
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
californio.redecamara.camara.gov.br -g
Internet_at_REDECAMARA.CAMARA.GOV.BR

visible_hostname trotsky.redecamara.camara.gov.br
dns_nameservers 10.1.3.5

hierarchy_stoplist cgi-bin ?
#acl liberados dstdomain "/etc/squid/liberados.txt"
acl ldap_group_check external squid_kerb_ldap
acl AUTENTICADO proxy_auth REQUIRED
http_access allow ldap_group_check
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
#acl teste external Internet teste
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 1863
acl SSL_ports port 563
acl SSL_ports port 465
acl SSL_ports port 995
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # https
acl Safe_ports port 465 # https
acl Safe_ports port 995 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl INTRANET dst 10.0.0.0/8
acl EXE urlpath_regex -i \.exe$
acl ZIP urlpath_regex -i \.zip$
acl ARJ urlpath_regex -i \.arj$
acl MP3 urlpath_regex -i \.mp3$
acl RAR urlpath_regex -i \.rar$
acl GZ urlpath_regex -i \.gz$
acl ISO1 urlpath_regex -i \.iso\?+$
acl EXE1 urlpath_regex -i \.exe\?+$
acl ZIP1 urlpath_regex -i \.zip\?+$
acl ARJ1 urlpath_regex -i \.arj\?+$
acl MP31 urlpath_regex -i \.mp3\?+$
acl RAR1 urlpath_regex -i \.rar\?+$
acl GZ1 urlpath_regex -i \.gz\?+$

http_access allow INTRANET

http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
cache_store_log none
maximum_object_size 16384 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 50 KB
cache_swap_low 95
cache_swap_high 98
ipcache_size 6000
ipcache_low 90
ipcache_high 92
fqdncache_size 6000
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
half_closed_clients off
memory_pools off

cache_dir diskd /cache/squid 10000 64 256 Q1=64 Q2=72
cache_mem 2048 MB
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
max_filedescriptors 1024
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Regards,

Wladner

2011/12/20 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 21/12/2011 3:03 a.m., Wladner Klimach wrote:
>>
>> But the problem is that i'm not running IPv6 in my network. That's why
>
> "Welcome to your IPv6 enabled transit network. Whether you like it, or not."
> - Rob Issac, 2008.
> (http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf)
>
> Try with -n parameter to lsof. You might get a surprise.
>
> The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may also
> be what you are seeing. Squid-3.1+ will detect stack types and use this
> optimization for receiving ports if it can.
>
>
>> I've asked if this could be a problem. And the cpu usage hiting 99%
>> with only one user? Does it look like hardware limitation? When i'm
>> not using authentication, the cpu usage doesn't hit 50%.
>
>
> Unlikely with one user.
>
> All Squid does for auth is take the tokens out of HTTP headers and relay it
> to the auth backend. Then add the backends reply token to the HTTP response
> for the client. Very minimal CPU operations in Squid, unknown amount in the
> backend. Maybe (max) 32KB of token copied each way, plus the HTTP bits.
>
> Amos
Received on Wed Dec 21 2011 - 15:29:23 MST