[squid-users] Re: Squid with Kerberos auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 21 Dec 2011 22:11:26 -0000

Can you run an strace against the process ?

Markus

"Wladner Klimach" <wladner_at_gmail.com> wrote in message
news:CAP3mw_Eaz_v+QaQiZ+Vc1S0oyzaWwES1-FdhTezEabFRq7Ajew_at_mail.gmail.com...
> Amos,
>
> so what could be causing so much load on cpu? When I run top i can see
> there's no swap and the squid_kerb_auth is the process that causes
> this high CPU usage. Is there any way i can check this helper? Here,
> down low, is my squid.conf. I hope you point some light because i
> don't believe squid runs in so such poor speed.
>
> auth_param negotiate program
> /etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
> -s HTTP/trotsky.redecamara.camara.gov.br
> auth_param negotiate children 4
> auth_param negotiate keep_alive on
>
> # ACLs externas para buscar grupo baseado em Kerberos.
> external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
> /etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
> californio.redecamara.camara.gov.br -g
> Internet_at_REDECAMARA.CAMARA.GOV.BR
>
> visible_hostname trotsky.redecamara.camara.gov.br
> dns_nameservers 10.1.3.5
>
> hierarchy_stoplist cgi-bin ?
> #acl liberados dstdomain "/etc/squid/liberados.txt"
> acl ldap_group_check external squid_kerb_ldap
> acl AUTENTICADO proxy_auth REQUIRED
> http_access allow ldap_group_check
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> #acl teste external Internet teste
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl SSL_ports port 1863
> acl SSL_ports port 563
> acl SSL_ports port 465
> acl SSL_ports port 995
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 563 # https
> acl Safe_ports port 465 # https
> acl Safe_ports port 995 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
>
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> acl INTRANET dst 10.0.0.0/8
> acl EXE urlpath_regex -i \.exe$
> acl ZIP urlpath_regex -i \.zip$
> acl ARJ urlpath_regex -i \.arj$
> acl MP3 urlpath_regex -i \.mp3$
> acl RAR urlpath_regex -i \.rar$
> acl GZ urlpath_regex -i \.gz$
> acl ISO1 urlpath_regex -i \.iso\?+$
> acl EXE1 urlpath_regex -i \.exe\?+$
> acl ZIP1 urlpath_regex -i \.zip\?+$
> acl ARJ1 urlpath_regex -i \.arj\?+$
> acl MP31 urlpath_regex -i \.mp3\?+$
> acl RAR1 urlpath_regex -i \.rar\?+$
> acl GZ1 urlpath_regex -i \.gz\?+$
>
>
> http_access allow INTRANET
>
> http_access allow localhost
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> cache_store_log none
> maximum_object_size 16384 KB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 50 KB
> cache_swap_low 95
> cache_swap_high 98
> ipcache_size 6000
> ipcache_low 90
> ipcache_high 92
> fqdncache_size 6000
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> half_closed_clients off
> memory_pools off
>
> cache_dir diskd /cache/squid 10000 64 256 Q1=64 Q2=72
> cache_mem 2048 MB
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> max_filedescriptors 1024
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> Regards,
>
> Wladner
>
>
>
> 2011/12/20 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On 21/12/2011 3:03 a.m., Wladner Klimach wrote:
>>>
>>> But the problem is that i'm not running IPv6 in my network. That's why
>>
>> "Welcome to your IPv6 enabled transit network. Whether you like it, or
>> not."
>> - Rob Issac, 2008.
>> (http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf)
>>
>> Try with -n parameter to lsof. You might get a surprise.
>>
>> The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may
>> also
>> be what you are seeing. Squid-3.1+ will detect stack types and use this
>> optimization for receiving ports if it can.
>>
>>
>>> I've asked if this could be a problem. And the cpu usage hiting 99%
>>> with only one user? Does it look like hardware limitation? When i'm
>>> not using authentication, the cpu usage doesn't hit 50%.
>>
>>
>> Unlikely with one user.
>>
>> All Squid does for auth is take the tokens out of HTTP headers and relay
>> it
>> to the auth backend. Then add the backends reply token to the HTTP
>> response
>> for the client. Very minimal CPU operations in Squid, unknown amount in
>> the
>> backend. Maybe (max) 32KB of token copied each way, plus the HTTP bits.
>>
>> Amos
>
Received on Wed Dec 21 2011 - 22:13:31 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 30 2011 - 12:00:06 MST