AW: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth

i want to bring back that issue.

- we are running squid on linux.
- we are using squid with winbind for user auth against windows DC
- our clients are windows7 and ie10.

the problem is:

when we use squid 3.4.x squid will use 100% of cpu after a few minutes. with the old version 3.2.11 everythings works perfect. squid uses about 25% of cpu.
we have tested it today with the latest version 3.4.6 in our production environment. although due to sommer holidays cpu usage raises up to 100%.
when we disable external user auth at all there is no problem. so

- with squid 3.2.11 external user auth is working
- with squid 3.4.6 external user auth is working - BUT squid will use 100% cpu
- with squid 3.4.6 and no user auth is it working.

thanxs for any hints and helps

markus
 
-----Ursprüngliche Nachricht-----
Von: Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
Gesendet: Dienstag, 7. Januar 2014 10:22
An: Amos Jeffries; squid-users_at_squid-cache.org
Betreff: AW: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth

thanxs,

our assumption is, that it is related to helper management. with 3.4. there is a "new helper protocol", right?
our environment worked with 3.2 without problems. now with the jump to 3.4. it will not work anymore. so number of requests are somehow important but as it worked in the past...

if we go without ntlm_auth we can't see any high cpu load. so the first thought ACL and eg. regex problems can be
discarded. maybe there are some cross influences. but we think it lies somewhere in helpers/auth.

we switched to 3.4 for two reasons:

1) we have a squid-hierarchy setup where user proxy talks to 4 parent proxies in a load balancer way. in the past we could switch of one of the parents and everything still was working. with 3.2. as soon as one of the four parents was missing internet access gets slower and slower. with 3.4. it is working.

2) 3.3. was no option as it hat problems with ACL and access internet sites with their ip-adresses. we have a couple of acls where we choose the right route (intranet/extranet/internet). in the past we could do www.google.de and http://173.194.35.184. but with 3.3 the ip-address didn't work anymore.

3) so this was the reason to jump from 3.2/3.1 to 3.4

> -----Ursprüngliche Nachricht-----
> Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Gesendet: Montag, 6. Januar 2014 22:02
> An: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth
>
> On 2014-01-07 01:52, Rietzler, Markus (RZF, SG 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > hi,
> > we have switched from squid 3.2.x to 3.4.2. in our environment we are
> > using squid with the ntlm_auth helper to do NTLM user auth against
> > windows DC.
> > after switching to squid 3.4.1 squid uses nearly 100% cpu after a few
> > minutes. with squid 3.2.x everythings worked well.
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 96 startup=24 idle=12
> > auth_param ntlm keep_alive on
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5 startup=2 idle=1
> > auth_param basic realm Internet-Zugriff [Benutzername/Kennwort aus BK]
> > Nutzung des Internets nur zum Dienstgebrauch!
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> >
> > we have compiled with smp-support but at the moment using squid only
> > with one worker, Kerberos support is compiled in but not used in
> > squid.conf
> > no negotiate configs in squid. is this enough or should we try without
> > negotiate support, could this influence and cause this troubles?
> >
> > Squid Cache: Version 3.4.2
> > configure options: '--enable-auth-basic=MSNT,SMB'
> > '--enable-auth-basic' '--enable-auth-ntlm'
> > '--enable-auth-negotiate=kerberos' '--enable-delay-pools'
> > '--enable-follow-x-forwarded-for' '--enable-removal-policies=lru,heap'
> > '--with-filedescriptors=4096' '--with-winbind' '--with-async-io'
> > '--enable-storeio=ufs,aufs,diskd,rock' '--disable-ident-lookups'
> > '--prefix=/rzf/produkte/www/squid' '--enable-underscores'
> > '--with-large-files'
> > 'PKG_CONFIG_PATH=/opt/gnome/lib64/pkgconfig:/opt/gnome/share/pkgconfig'
> > --enable-ltdl-convenience
> >
> > /usr/bin/ntlm_auth -V
> > Version 3.6.3-0.39.1-3012-SUSE-CODE11-x86_64
> >
> >
> >
> > we do not use wbinfo_group we only need the username. all users are
> > allowed to surf the internet, there are some "groups" but they are
> > retrieved "external" as they also are used in ufdbguard to filter some
> > categories. so only ntlm_auth for username is needed and used.
> >
> > we only have short testet squid 3.3., because there we had the
> > problem, that the internet access to sites with ip-address didn't work
> > or are routed the wrong way (but that is another story, not related to
> > this one).
> >
> > so the problem is, that with squid 3.4.2 the cpu usage rises to 100%.
> > after squid -k reconfigure the cpu-usage drops but then after a fiew
> > minutes rises again to 100%.
> >
Received on Mon Jul 28 2014 - 11:58:27 MDT