[squid-users] Re: transparent proxy on remote box issue
Eliezer Croitoru eliezer at ngtech.co.il writes: Hey there, Man you need to understand something. Your basic routing doesn't help in any way. In your case you should have a network which is a simple thing... I do not rembebr the machine settings but once you have a strickt default via IP the packets should flow throw this host. try to make sure first that ICMP packet flows from one machine to the other. Then and only then try to make the packet flow from let say: VPN-MAIN-GW then try to access the internet and see what happens on both GW and VPN machines. you do have 10.0.0.1/24 as a Default GW so try to reach from 10.0.0.170 using 10.0.0.1 to the internet let say to google or yahoo or even my site.. ngtech.co.il. this basic network setup should work if configured properly and if the network infrastructure supports it. If even one of all the above is not met you will not succed and then you we will be back to routing which we can try to help but it means you have a way ahead before making squid work. can you by any chance remove all these mark setting and go back to routing just to make the basic setup work as it suppose to? And also the OUTPUT is another step after all the traffic to and from the internet back to this host is working.. Eliezer I can say for sure this is the issue. First of all I can make this work with two Ubuntu VMs under the same LAN which allowed me to compare the difference. Eliezer's observation is correct. On my VMs traffic goes through the gateway (ie: the router) before going to the remote box. On Amazon VPC for some reason it tries to go directly to the remote box since the mac address is that of SQUID box (not that of the gateway). If I use clean.rules traffic goes through the gateway. If I use proxy.rules (with policy based routing) it will use SQUID's mac. I don't know how to fix this issue. Thanks, that's a big step forward
[squid-users] Re: frequent TCP_MISS_ABORTED is it harmfull ???
hi amos , so , in summary , i can say that it is normal issue regards - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/frequent-TCP-MISS-ABORTED-is-it-harmfull-tp4663051p4663104.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: transparent proxy on remote box issue
WorkingMan signup_mail2002 at yahoo.com writes: Eliezer Croitoru eliezer at ngtech.co.il writes: Hey there, Man you need to understand something. Your basic routing doesn't help in any way. In your case you should have a network which is a simple thing... I do not rembebr the machine settings but once you have a strickt default via IP the packets should flow throw this host. try to make sure first that ICMP packet flows from one machine to the other. Then and only then try to make the packet flow from let say: VPN-MAIN-GW then try to access the internet and see what happens on both GW and VPN machines. you do have 10.0.0.1/24 as a Default GW so try to reach from 10.0.0.170 using 10.0.0.1 to the internet let say to google or yahoo or even my site.. ngtech.co.il. this basic network setup should work if configured properly and if the network infrastructure supports it. If even one of all the above is not met you will not succed and then you we will be back to routing which we can try to help but it means you have a way ahead before making squid work. can you by any chance remove all these mark setting and go back to routing just to make the basic setup work as it suppose to? And also the OUTPUT is another step after all the traffic to and from the internet back to this host is working.. Eliezer I can say for sure this is the issue. First of all I can make this work with two Ubuntu VMs under the same LAN which allowed me to compare the difference. Eliezer's observation is correct. On my VMs traffic goes through the gateway (ie: the router) before going to the remote box. On Amazon VPC for some reason it tries to go directly to the remote box since the mac address is that of SQUID box (not that of the gateway). If I use clean.rules traffic goes through the gateway. If I use proxy.rules (with policy based routing) it will use SQUID's mac. I don't know how to fix this issue. Thanks, that's a big step forward Sorry, I need to correct above. It's actually doing something different because I was looking at a working setup I had information I don't with the VPC setup. All I can say is that I see gateway's mac on both VPN and remote boxes for VM setup. For VPC setup I can see VPN trying to reach SQUID server (retransmitting) so it didn't get far enough to reach the gateway. For some reason traffic is not reaching SQUID server (I am guessing something is dropping the traffic). Thanks,
[squid-users] Re: transparent proxy on remote box issue
WorkingMan signup_mail2002 at yahoo.com writes: Eliezer Croitoru eliezer at ngtech.co.il writes: Hey there, Man you need to understand something. Your basic routing doesn't help in any way. In your case you should have a network which is a simple thing... I do not rembebr the machine settings but once you have a strickt default via IP the packets should flow throw this host. try to make sure first that ICMP packet flows from one machine to the other. Then and only then try to make the packet flow from let say: VPN-MAIN-GW then try to access the internet and see what happens on both GW and VPN machines. you do have 10.0.0.1/24 as a Default GW so try to reach from 10.0.0.170 using 10.0.0.1 to the internet let say to google or yahoo or even my site.. ngtech.co.il. this basic network setup should work if configured properly and if the network infrastructure supports it. If even one of all the above is not met you will not succed and then you we will be back to routing which we can try to help but it means you have a way ahead before making squid work. can you by any chance remove all these mark setting and go back to routing just to make the basic setup work as it suppose to? And also the OUTPUT is another step after all the traffic to and from the internet back to this host is working.. Eliezer I can say for sure this is the issue. First of all I can make this work with two Ubuntu VMs under the same LAN which allowed me to compare the difference. Eliezer's observation is correct. On my VMs traffic goes through the gateway (ie: the router) before going to the remote box. On Amazon VPC for some reason it tries to go directly to the remote box since the mac address is that of SQUID box (not that of the gateway). If I use clean.rules traffic goes through the gateway. If I use proxy.rules (with policy based routing) it will use SQUID's mac. I don't know how to fix this issue. Thanks, that's a big step forward Sorry for duplicate post. I posted as a new post in my last reply. Sorry, I need to correct above. It's actually doing something different because I was looking at a working setup I had information I don't with the VPC setup. All I can say is that I see gateway's mac on both VPN and remote boxes for VM setup. For VPC setup I can see VPN trying to reach SQUID server (retransmitting) so it didn't get far enough to reach the gateway. For some reason traffic is not reaching SQUID server (I am guessing something is dropping the traffic). Thanks,
[squid-users] Re: transparent proxy on remote box issue
I can say for sure this is the issue. First of all I can make this work with two Ubuntu VMs under the same LAN which allowed me to compare the difference. Eliezer's observation is correct. On my VMs traffic goes through the gateway (ie: the router) before going to the remote box. On Amazon VPC for some reason it tries to go directly to the remote box since the mac address is that of SQUID box (not that of the gateway). If I use clean.rules traffic goes through the gateway. If I use proxy.rules (with policy based routing) it will use SQUID's mac. I don't know how to fix this issue. Thanks, that's a big step forward I finally found what's causing the packet drop. I needed to disable Source/Dest Check on VPC instance for SQUID (right-click client VPC instance: Change Source/Dest. Check)! I did disable for VPN instance. I will continue the other steps and will report back. I think it will work now. Thanks,
Re: [squid-users] load tpoxy wccp on multiple interfaces by smp ?
On 3/11/2013 5:22 p.m., Dr.x wrote: hi , its just an updating idea , we have 6000 users and we have 96 G ram and 24 CPU cores and DELR720 hardware , actually i want to use smp and want to handle them by squid Q1-from the user experience who tried squid smp , can my hardware handle the 6000 users No. It can handle some amount of requests/sec and traffic/sec. But users is not related to proxy capacity. 6000 users doing 1 req/day, even the footstool under my desk can handle that load. 6000 users doing ~150 req/sec each concurrently, you need a monster amount of CPU to handle that load. Squid-3.3 can handle something like 2k - 20k requests per second on average-cost modern hardware in a single worker. That is somewhere around 50 - 150Mbps of HTTP traffic if you look at things in Mbps. The numbers *will* vary greatly depending on many factors in your users traffic profile. 24 cores should be enough to handle it, though be careful that it is 24 *physcal* cores. Ignore any hyper-threaded / virtual cores. === Q2-can SMP let me use two tproxy on 2 interface and share cores cahcing on the two interfaces ??? i mean my server will have eth1 , eth2 connected to router eth1 is x.x.x.x eth2 is y.y.y.y squid will be listening yo tproxy x.x.x.x: and also will be listening to tproxy y.y.y.y: and each interface will have wccp service number .=== mean that many wccp services will be working agian , i want to do that , because the traffic on 1 interface cant handle more than 1 G traffic my router cant handle more than 1 G , so i need to use 2 interfaces so that make network load distribution can squid smp handle what i want Maybe. High confidence without certainty. without bugs ? Er, Um. Amos
[squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
Amos Jeffries-2 wrote On 3/11/2013 5:22 p.m., Dr.x wrote: hi , its just an updating idea , we have 6000 users and we have 96 G ram and 24 CPU cores and DELR720 hardware , actually i want to use smp and want to handle them by squid Q1-from the user experience who tried squid smp , can my hardware handle the 6000 users No. It can handle some amount of requests/sec and traffic/sec. But users is not related to proxy capacity. 6000 users doing 1 req/day, even the footstool under my desk can handle that load. 6000 users doing ~150 req/sec each concurrently, you need a monster amount of CPU to handle that load. hi amos , regarding to the answer no currently , i have a squid server without smp that handle 2500 users and without slowness , with caching and ,with acl web filtering. and it only dissipating a few cores in my cpu here is a print screen of my DELR720 server which handle wt i said above : http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663110/584988478.png although i made a snapshot in time not considered as rush hour , but u can indicate that only about 5 core cpus from about 24 cores is running and the others always idle !!!1 the question is why it cant as we know , squid cant use all cores without smp , but in my opinion , if server without smp could handle 2500 users , it must handle at least 5000 users with smp plz clarify ! regards - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663110.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
On 3/11/2013 11:24 p.m., Dr.x wrote: Amos Jeffries-2 wrote On 3/11/2013 5:22 p.m., Dr.x wrote: hi , its just an updating idea , we have 6000 users and we have 96 G ram and 24 CPU cores and DELR720 hardware , actually i want to use smp and want to handle them by squid Q1-from the user experience who tried squid smp , can my hardware handle the 6000 users No. It can handle some amount of requests/sec and traffic/sec. But users is not related to proxy capacity. 6000 users doing 1 req/day, even the footstool under my desk can handle that load. 6000 users doing ~150 req/sec each concurrently, you need a monster amount of CPU to handle that load. hi amos , regarding to the answer no the question is why it cant Sorry you missed by joke. Users is users ... Squid handles HTTP messages. :-) Amos
[squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
hi amos , wts the maximum req/sec squid with smp of 24 cores cpu can handle in my case ? - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663112.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)
I've just noticed that there is also LDAP modify request in captured traffic that is trying to set servicePrincipalName attribute and ends up with insufficientAccessRights result! I will ask for additional privileges from our domain admin and see if it solves the issue. On Sun, Nov 3, 2013 at 9:36 AM, Mihail Lukin mihail.lu...@gmail.com wrote: I wonder why `net ads keytab add HTTP` doesn't change the keytab. The output of this command is: preWarning: kerberos method must be set to a keytab method to use keytab functions. Processing principals to add.../pre and exit code is 0, so there is no sign of an error. I sniffed network traffic while running this command and found that there was an LDAP search query and the result contained this computer's entry which has servicePrincipalName with 4 values and HTTP/squidsrv.my.doma.in is there. Unfortunately, this service principal didn't appear in keytab. On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller hua...@moeller.plus.com wrote: Exactly you need the HTTP service principal in the keytab. Regards Markus Mihail Lukin wrote in message news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0...@mail.gmail.com... Thanks for the tip! Here is what it shows: Server Name (Service and Instance): HTTP/squidsrv.my.doma.in So, it is the right protocol and host name. But I do not see exact much in keytab. I'm not sure if it is the issue. I created keytab exactly as was shown here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab (samba version, not msktutil). On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, If you use wireshark you can expand the details of: Proxy-Authorization: Negotiate YIIHoAYGKwYBB... It will tell you which service principal the client is sending to the server ? I wonder if the name matches the names in your keytab. Markus -Original Message- From: Mihail Lukin Sent: Saturday, November 02, 2013 9:15 PM To: Markus Moeller Cc: squid-users Subject: Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8) Hi, Markus! 1) Here is the output: Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (des-cbc-crc) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (des-cbc-md5) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (arcfour-hmac) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squid...@my.doma.in (des-cbc-crc) 2 10/30/13 14:14:09 host/squid...@my.doma.in (des-cbc-md5) 2 10/30/13 14:14:09 host/squid...@my.doma.in (arcfour-hmac) 2 10/30/13 14:14:09 host/squid...@my.doma.in (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squid...@my.doma.in (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96) 2) I see request header Proxy-Authorization: Negotiate YIIHoAYGKwYBB... 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth works fine on this server. On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, What does a klist -ekt keytab show ? ( I assume you use MIT Kerberos on the squid server) What do you see with wireshark in the authentication header send to squid ? Markus Mihail Lukin wrote in message news:caamm_rzhz8m1vbyf5mvw-zbqyvoqhw0nmf4saop8gsy5x9k...@mail.gmail.com... I don't know why access-time is not being updated, but strace has shown that keytab is being read successfully by squid_kerb_auth process. On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin mihail.lu...@gmail.com wrote: Hello, Markus! Sorry for not mentioning it at once, KRB5_KTNAME is being exported in /etc/sysconfig/squid and is readable by squid group. But there is still something wrong with it: keytab's access time is not changed neither when I restart squid not when I request an URL through the proxy. I think I should strace squid_kerb_auth to see what happens. Thanks for the hint! On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, Did you use export KRB5_KTNAME to point to the right keytab ? Is the keytab readable by the user under which squid runs ? Markus Mihail Lukin wrote in message news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=r...@mail.gmail.com... Hello, I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 DC with
Re: [squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
On 11/03/2013 12:41 PM, Dr.x wrote: hi amos , wts the maximum req/sec squid with smp of 24 cores cpu can handle in my case ? Just wondering to myself, what is the CPU of the machine? it's not about maximum but rather using this amount of CPU.. you will need lots of workers to handle these cores so if you do have a SMP that works on these CPU I would start with 3 workers to make sure I understand how it all fits together and then go up into the 10 cores... since each worker should be able to take about 900 requests per sec. 6000 users will be a lot of traffic that should be added little by little to see how the load is balanced over the CPU HDD etc. Note that the cachemgr interface can give you couple good statistics to get started with. Regards, Eliezer - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663112.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
Eliezer Croitoru-2 wrote On 11/03/2013 12:41 PM, Dr.x wrote: hi amos , wts the maximum req/sec squid with smp of 24 cores cpu can handle in my case ? Just wondering to myself, what is the CPU of the machine? it's not about maximum but rather using this amount of CPU.. you will need lots of workers to handle these cores so if you do have a SMP that works on these CPU I would start with 3 workers to make sure I understand how it all fits together and then go up into the 10 cores... since each worker should be able to take about 900 requests per sec. 6000 users will be a lot of traffic that should be added little by little to see how the load is balanced over the CPU HDD etc. Note that the cachemgr interface can give you couple good statistics to get started with. Regards, Eliezer - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663112.html Sent from the Squid - Users mailing list archive at Nabble.com. hi thanks alot , seems good start : i will start it and giver u reply and result , about ur question above , my machine features : Feature * PowerEdge R720 technical specification Form factor 2U rack Processors Intel ® Xeon ® processor E5-2600 product family Processor sockets 2 Internal interconnect2 x Intel QuickPath Interconnect (QPI) links; 6.4 GT/s; 7.2 GT/s; 8.0 GT/s Cache 2.5MB per core; core options: 2, 4, 6, 8 Chipset Intel C600 * - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663115.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] parent proxy setup
Hi all, I have 2 servers a CentOS 6.4 and FreeBSD 9.2, both running squid 3.3.8. The CentOS however is configured as follows: cache_peer x.x.x.x parent 80 0 no-query no-digest never_direct allow all x.x.x.x is the IP address of my FreeBSD I can browse the internet fine, except https://facebook.com. I am able to authenticate, but after that, site does not load, images some show up and some do not, and if I refresh sometimes, the page goes blank and nothing shows up. I also see issues with cnn.com, the area where the live tv is missing, it's blank. If I change the proxy to my FreeBSD directly, all works fine. Any ideas?
Re: [squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
On 11/03/2013 02:25 PM, Dr.x wrote: Feature * PowerEdge R720 technical specification Form factor 2U rack Processors Intel ® Xeon ® processor E5-2600 product family Processor sockets 2 Internal interconnect2 x Intel QuickPath Interconnect (QPI) links; 6.4 GT/s; 7.2 GT/s; 8.0 GT/s Cache 2.5MB per core; core options: 2, 4, 6, 8 Chipset Intel C600 * I assume it's the 8 cores and doubles the threads which is probably what you do have in hands. cat /proc/cpuinfo should give the exact model of the CPU. so if it's 2 SOCKETS it means 16 real cores with shared 2.5MB cache per couple cores unless there are new CPUs out there that INTEL doesn't provide data on. it's a very powerful machine!! 16 cores should handle about 11-12k requests per sec and even more without any slowdown from the CPU and ram. when it comes to HDD it's another levels of speed which slows down couple things. Again adding little by little users on this monster should give you the bigger picture on how to manage this beast. Eliezer
[squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)
Hi Mihail, I use mostly msktutil and not the samba tools. So I don't know what extra rights you might need for samba. I give myself write access to a separate OU to manage Unix service principals with msktutil. Regards Markus Mihail Lukin wrote in message news:CAAmm_rZyAg2WA7rOkK43G14Ot6w1PNkm=1fypfw_n-h1jgz...@mail.gmail.com... I've just noticed that there is also LDAP modify request in captured traffic that is trying to set servicePrincipalName attribute and ends up with insufficientAccessRights result! I will ask for additional privileges from our domain admin and see if it solves the issue. On Sun, Nov 3, 2013 at 9:36 AM, Mihail Lukin mihail.lu...@gmail.com wrote: I wonder why `net ads keytab add HTTP` doesn't change the keytab. The output of this command is: preWarning: kerberos method must be set to a keytab method to use keytab functions. Processing principals to add.../pre and exit code is 0, so there is no sign of an error. I sniffed network traffic while running this command and found that there was an LDAP search query and the result contained this computer's entry which has servicePrincipalName with 4 values and HTTP/squidsrv.my.doma.in is there. Unfortunately, this service principal didn't appear in keytab. On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller hua...@moeller.plus.com wrote: Exactly you need the HTTP service principal in the keytab. Regards Markus Mihail Lukin wrote in message news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0...@mail.gmail.com... Thanks for the tip! Here is what it shows: Server Name (Service and Instance): HTTP/squidsrv.my.doma.in So, it is the right protocol and host name. But I do not see exact much in keytab. I'm not sure if it is the issue. I created keytab exactly as was shown here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab (samba version, not msktutil). On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, If you use wireshark you can expand the details of: Proxy-Authorization: Negotiate YIIHoAYGKwYBB... It will tell you which service principal the client is sending to the server ? I wonder if the name matches the names in your keytab. Markus -Original Message- From: Mihail Lukin Sent: Saturday, November 02, 2013 9:15 PM To: Markus Moeller Cc: squid-users Subject: Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8) Hi, Markus! 1) Here is the output: Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (des-cbc-crc) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (des-cbc-md5) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (arcfour-hmac) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squidsrv.my.doma...@my.doma.in (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squid...@my.doma.in (des-cbc-crc) 2 10/30/13 14:14:09 host/squid...@my.doma.in (des-cbc-md5) 2 10/30/13 14:14:09 host/squid...@my.doma.in (arcfour-hmac) 2 10/30/13 14:14:09 host/squid...@my.doma.in (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squid...@my.doma.in (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96) 2) I see request header Proxy-Authorization: Negotiate YIIHoAYGKwYBB... 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth works fine on this server. On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, What does a klist -ekt keytab show ? ( I assume you use MIT Kerberos on the squid server) What do you see with wireshark in the authentication header send to squid ? Markus Mihail Lukin wrote in message news:caamm_rzhz8m1vbyf5mvw-zbqyvoqhw0nmf4saop8gsy5x9k...@mail.gmail.com... I don't know why access-time is not being updated, but strace has shown that keytab is being read successfully by squid_kerb_auth process. On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin mihail.lu...@gmail.com wrote: Hello, Markus! Sorry for not mentioning it at once, KRB5_KTNAME is being exported in /etc/sysconfig/squid and is readable by squid group. But there is still something wrong with it: keytab's access time is not changed neither when I restart squid not when I request an URL through the proxy. I think I should strace squid_kerb_auth to see what happens. Thanks for the hint! On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller hua...@moeller.plus.com wrote: Hi Mihail, Did you use export KRB5_KTNAME to point to the right keytab ? Is the
[squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
Eliezer Croitoru-2 wrote On 11/03/2013 02:25 PM, Dr.x wrote: Feature * PowerEdge R720 technical specification Form factor 2U rack Processors Intel ® Xeon ® processor E5-2600 product family Processor sockets 2 Internal interconnect2 x Intel QuickPath Interconnect (QPI) links; 6.4 GT/s; 7.2 GT/s; 8.0 GT/s Cache 2.5MB per core; core options: 2, 4, 6, 8 Chipset Intel C600 * I assume it's the 8 cores and doubles the threads which is probably what you do have in hands. cat /proc/cpuinfo should give the exact model of the CPU. so if it's 2 SOCKETS it means 16 real cores with shared 2.5MB cache per couple cores unless there are new CPUs out there that INTEL doesn't provide data on. it's a very powerful machine!! 16 cores should handle about 11-12k requests per sec and even more without any slowdown from the CPU and ram. when it comes to HDD it's another levels of speed which slows down couple things. Again adding little by little users on this monster should give you the bigger picture on how to manage this beast. Eliezer wt a nice feedback from you , u really encouraged me to start squid 3.3.9 now ! with it , but plz have a look and make a verification , is it 16 or 24 real cores : here is /proc/cpuinfo result : *processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz stepping: 7 microcode : 0x70b cpu MHz : 2299.853 cache size : 15360 KB physical id : 0 siblings: 12 core id : 0 cpu cores : 6 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid bogomips: 4599.70 clflush size: 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz stepping: 7 microcode : 0x70b cpu MHz : 2299.853 cache size : 15360 KB physical id : 1 siblings: 12 core id : 0 cpu cores : 6 apicid : 32 initial apicid : 32 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid bogomips: 4600.03 clflush size: 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 2 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz stepping: 7 microcode : 0x70b cpu MHz : 2299.853 cache size : 15360 KB physical id : 0 siblings: 12 core id : 1 cpu cores : 6 apicid : 2 initial apicid : 2 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid bogomips: 4599.70 clflush size: 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 3 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz stepping: 7 microcode : 0x70b cpu MHz : 2299.853 cache size : 15360 KB physical id : 1 siblings: 12 core id : 1 cpu cores : 6 apicid : 34 initial apicid : 34 fpu : yes fpu_exception : yes cpuid level
Re: [squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
On 11/03/2013 09:20 PM, Dr.x wrote: wt a nice feedback from you , u really encouraged me to start squid 3.3.9 now ! with it , but plz have a look and make a verification , is it 16 or 24 real cores : here is /proc/cpuinfo result : *processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz This should be it: http://ark.intel.com/products/64593 Which is a 6 cores CPU each with 15M cache which is 2.5 MB cache for each real core. I do not know how the threading thing works exactly but it suppose to give the software the benefit of *thinking* that there are couple more processors and by that utilizing the maximum COMPUTATIONS from the CPU. All the above assumes that there is a limit to the software and the hardware can help the software a bit on execution scheduling etc. Dont think it's something that is not helping but it's good to know that the limit is 12 real cores that can execute in 2.3-2.8 which is a lot of processing power.. What it means that you do not have 24*2.8 and it means about 10k Requests per sec at top(while squid might take even more but I still not tested it on this kind of machine with SMP). What is 100% is that this machine can act as an EDGE router for about 40+GBps NP. (about the threading thing it's like the hardware knows that there are four places in a cycle that can be utilized and it can be utilized only if a computation is scheduled so in a case of a thread on a CPU there is a higher chance of utilizing one more part of each cycle for computation rather then losing this part of this cycle forever. It's an accurate description but it's more then nothing) Eliezer
Re: [squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
On 11/03/2013 09:52 PM, Eliezer Croitoru wrote: It's an accurate description but it's more then nothing) Typo fix: it's not an accurate. Eliezer
Re: [squid-users] parent proxy setup
On 4/11/2013 1:40 a.m., Monah Baki wrote: Hi all, I have 2 servers a CentOS 6.4 and FreeBSD 9.2, both running squid 3.3.8. The CentOS however is configured as follows: cache_peer x.x.x.x parent 80 0 no-query no-digest never_direct allow all x.x.x.x is the IP address of my FreeBSD I can browse the internet fine, except https://facebook.com. I am able to authenticate, but after that, site does not load, images some show up and some do not, and if I refresh sometimes, the page goes blank and nothing shows up. I also see issues with cnn.com, the area where the live tv is missing, it's blank. If I change the proxy to my FreeBSD directly, all works fine. Any ideas? Does adding nonhierarchical_direct off to squid.conf have any effect? Amos
[squid-users] Re: load tpoxy wccp on multiple interfaces by smp ?
Eliezer Croitoru-2 wrote On 11/03/2013 09:52 PM, Eliezer Croitoru wrote: It's an accurate description but it's more then nothing) Typo fix: it's not an accurate. Eliezer well , thanks alot for your time and reply , that don't mind to test the machine and see the performance . i will tell you about result , regards - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/load-tpoxy-wccp-on-multiple-interfaces-by-smp-tp4663100p4663123.html Sent from the Squid - Users mailing list archive at Nabble.com.
