subject:"\[squid\-users\] Squid with Kerberos auth"

Re: [squid-users] Squid with Kerberos auth

2011-12-21 Thread Wladner Klimach

Amos,

so what could be causing so much load on cpu? When I run top i can see
there's no swap and the squid_kerb_auth is the process that causes
this high CPU usage. Is there any way i can check this helper? Here,
down low, is my squid.conf. I hope you point some light because i
don't believe squid runs in so such poor speed.

auth_param negotiate program
/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
 -s HTTP/trotsky.redecamara.camara.gov.br
auth_param negotiate children 4
auth_param negotiate keep_alive on

# ACLs externas para buscar grupo baseado em Kerberos.
external_acl_type squid_kerb_ldap  ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
californio.redecamara.camara.gov.br  -g
inter...@redecamara.camara.gov.br

visible_hostname trotsky.redecamara.camara.gov.br
dns_nameservers 10.1.3.5

hierarchy_stoplist cgi-bin ?
#acl liberados dstdomain "/etc/squid/liberados.txt"
acl ldap_group_check external squid_kerb_ldap
acl AUTENTICADO proxy_auth REQUIRED
http_access allow ldap_group_check
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
#acl teste external Internet teste
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 1863
acl SSL_ports port 563
acl SSL_ports port 465
acl SSL_ports port 995
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # https
acl Safe_ports port 465 # https
acl Safe_ports port 995 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl INTRANETdst 10.0.0.0/8
acl EXE urlpath_regex -i \.exe$
acl ZIP urlpath_regex -i \.zip$
acl ARJ urlpath_regex -i \.arj$
acl MP3 urlpath_regex -i \.mp3$
acl RAR urlpath_regex -i \.rar$
acl GZ  urlpath_regex -i \.gz$
acl ISO1 urlpath_regex -i \.iso\?+$
acl EXE1 urlpath_regex -i \.exe\?+$
acl ZIP1 urlpath_regex -i \.zip\?+$
acl ARJ1 urlpath_regex -i \.arj\?+$
acl MP31 urlpath_regex -i \.mp3\?+$
acl RAR1 urlpath_regex -i \.rar\?+$
acl GZ1  urlpath_regex -i \.gz\?+$

http_access allow INTRANET

http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
cache_store_log none
maximum_object_size 16384 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 50 KB
cache_swap_low 95
cache_swap_high 98
ipcache_size6000
ipcache_low 90
ipcache_high 92
fqdncache_size 6000
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
half_closed_clients off
memory_pools off

cache_dir diskd /cache/squid 1 64 256 Q1=64 Q2=72
cache_mem 2048 MB
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
max_filedescriptors 1024
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

Regards,

Wladner

2011/12/20 Amos Jeffries :
> On 21/12/2011 3:03 a.m., Wladner Klimach wrote:
>>
>> But the problem is that i'm not running IPv6 in my network. That's why
>
> "Welcome to your IPv6 enabled transit network. Whether you like it, or not."
> - Rob Issac, 2008.
> (http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf)
>
> Try with -n parameter to lsof. You might get a surprise.
>
> The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may also
> be what you are seeing. Squid-3.1+ will detect stack types and use this
> optimization for receiving ports if it can.
>
>
>> I've asked if this could be a problem. And the cpu usage hiting 99%
>> with only one user? Does it look like hardware limitation? When i'm
>> not using authentication, the cpu usage doesn't hit 50%.
>
>
> Unlikely with one user.
>
> All Squid does for auth is take the

Re: [squid-users] Squid with Kerberos auth

2011-12-20 Thread Amos Jeffries


On 21/12/2011 3:03 a.m., Wladner Klimach wrote:

But the problem is that i'm not running IPv6 in my network. That's why

"Welcome to your IPv6 enabled transit network. Whether you like it, or not."
- Rob Issac, 2008. 
(http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf)


Try with -n parameter to lsof. You might get a surprise.

The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may 
also be what you are seeing. Squid-3.1+ will detect stack types and use 
this optimization for receiving ports if it can.



I've asked if this could be a problem. And the cpu usage hiting 99%
with only one user? Does it look like hardware limitation? When i'm
not using authentication, the cpu usage doesn't hit 50%.


Unlikely with one user.

All Squid does for auth is take the tokens out of HTTP headers and relay 
it to the auth backend. Then add the backends reply token to the HTTP 
response for the client. Very minimal CPU operations in Squid, unknown 
amount in the backend. Maybe (max) 32KB of token copied each way, plus 
the HTTP bits.


Amos

Re: [squid-users] Squid with Kerberos auth

2011-12-20 Thread Amos Jeffries


On 20/12/2011 7:40 a.m., Wladner Klimach wrote:

Look at this:

Every 2.0s: lsof -i :3128
Mon Dec
19 16:38:22 2011

COMMAND   PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
squid   20367 squid   12u  IPv6 2474452  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4225
(ESTABLISHED)
squid   20367 squid   18u  IPv6 2473286  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4202
(ESTABLISHED)
squid   20367 squid   22u  IPv6 2474474  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4229
(ESTABLISHED)
squid   20367 squid   24u  IPv6 2473304  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4204
(ESTABLISHED)
squid   20367 squid   28u  IPv6 2473756  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4210
(ESTABLISHED)
squid   20367 squid   34u  IPv6 2474462  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4227
(ESTABLISHED)
squid   20367 squid   38u  IPv6 2474457  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4226
(ESTABLISHED)
squid   20367 squid   42u  IPv6 2474467  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4228
(ESTABLISHED)
squid   20367 squid   44u  IPv6 2474477  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4230
(ESTABLISHED)
squid   20367 squid  156u  IPv6 2472223  0t0  TCP *:squid (LISTEN)


Is only has IPV6 conection types. Is this a problem or point a
possible bottleneck ?


Problem? no.

Possible bottleneck? depends if there is a slow IPv6 connectivity 
between Squid and that remote machine (ie a tunnel with wrapping 
overheads). ~75% of networks have faster IPv6 connectivity than IPv4 
connectivity.


Amos

Re: [squid-users] Squid with Kerberos auth

2011-12-19 Thread Wladner Klimach

Look at this:

Every 2.0s: lsof -i :3128
   Mon Dec
19 16:38:22 2011

COMMAND   PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
squid   20367 squid   12u  IPv6 2474452  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4225
(ESTABLISHED)
squid   20367 squid   18u  IPv6 2473286  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4202
(ESTABLISHED)
squid   20367 squid   22u  IPv6 2474474  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4229
(ESTABLISHED)
squid   20367 squid   24u  IPv6 2473304  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4204
(ESTABLISHED)
squid   20367 squid   28u  IPv6 2473756  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4210
(ESTABLISHED)
squid   20367 squid   34u  IPv6 2474462  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4227
(ESTABLISHED)
squid   20367 squid   38u  IPv6 2474457  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4226
(ESTABLISHED)
squid   20367 squid   42u  IPv6 2474467  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4228
(ESTABLISHED)
squid   20367 squid   44u  IPv6 2474477  0t0  TCP
trotsky.redecamara.camara.gov.br:squid->cainf-269642.redecamara.camara.gov.br:4230
(ESTABLISHED)
squid   20367 squid  156u  IPv6 2472223  0t0  TCP *:squid (LISTEN)


Is only has IPV6 conection types. Is this a problem or point a
possible bottleneck ?

2011/12/19 Wladner Klimach :
> Amos,
>
> how can I check if the keep alive is really working? Another thing, is
> it normal behavior the cpu usage being hit 98% usage during one domain
> download page? Could it be just hardware limitation? If so, this is a
> very awkward situation because there's no severe load upon squid cause
> only I using it.
>
> Regards,
>
> Wladner
>
> 2011/12/14 Amos Jeffries :
>> On Wed, 14 Dec 2011 13:22:38 -0200, Wladner Klimach wrote:
>>>
>>> Hello,
>>>
>>> i'm running squid with kerberos authentication. The problem is that
>>> it's runing too slow. Looks like squid is negotiating with AD every
>>> URL it tries to get. Anyone could point me a way out?
>>
>>
>> A few things:
>>
>>  * Double-check that you have connection persistence (keep-alive) operating
>> on all connections (both client and server).
>>
>>  * Ensure that your squid is as recent as you can use, we have had ongoing
>> small fixes to improve persistence across all releases this past year.
>>
>>  * Check that the auth packets are not failing over into NTLM or older
>> protocols in apps which are supposed to be on Kerberos.
>>
>>  * Maybe also check that DNS lookups Kerberos depends on for DC location are
>> responding fast with reasonable TTL.
>>
>> Amos
>>

Re: [squid-users] Squid with Kerberos auth

2011-12-19 Thread Wladner Klimach

Amos,

how can I check if the keep alive is really working? Another thing, is
it normal behavior the cpu usage being hit 98% usage during one domain
download page? Could it be just hardware limitation? If so, this is a
very awkward situation because there's no severe load upon squid cause
only I using it.

Regards,

Wladner

2011/12/14 Amos Jeffries :
> On Wed, 14 Dec 2011 13:22:38 -0200, Wladner Klimach wrote:
>>
>> Hello,
>>
>> i'm running squid with kerberos authentication. The problem is that
>> it's runing too slow. Looks like squid is negotiating with AD every
>> URL it tries to get. Anyone could point me a way out?
>
>
> A few things:
>
>  * Double-check that you have connection persistence (keep-alive) operating
> on all connections (both client and server).
>
>  * Ensure that your squid is as recent as you can use, we have had ongoing
> small fixes to improve persistence across all releases this past year.
>
>  * Check that the auth packets are not failing over into NTLM or older
> protocols in apps which are supposed to be on Kerberos.
>
>  * Maybe also check that DNS lookups Kerberos depends on for DC location are
> responding fast with reasonable TTL.
>
> Amos
>

Re: [squid-users] Squid with Kerberos auth

2011-12-14 Thread Amos Jeffries


On Wed, 14 Dec 2011 13:22:38 -0200, Wladner Klimach wrote:

Hello,

i'm running squid with kerberos authentication. The problem is that
it's runing too slow. Looks like squid is negotiating with AD every
URL it tries to get. Anyone could point me a way out?


A few things:

 * Double-check that you have connection persistence (keep-alive) 
operating on all connections (both client and server).


 * Ensure that your squid is as recent as you can use, we have had 
ongoing small fixes to improve persistence across all releases this past 
year.


 * Check that the auth packets are not failing over into NTLM or older 
protocols in apps which are supposed to be on Kerberos.


 * Maybe also check that DNS lookups Kerberos depends on for DC 
location are responding fast with reasonable TTL.


Amos

[squid-users] Squid with Kerberos auth

2011-12-14 Thread Wladner Klimach

Hello,

i'm running squid with kerberos authentication. The problem is that
it's runing too slow. Looks like squid is negotiating with AD every
URL it tries to get. Anyone could point me a way out?

Best regards,

Wladner

Re: [squid-users] Squid with Kerberos auth

Re: [squid-users] Squid with Kerberos auth

Re: [squid-users] Squid with Kerberos auth

Re: [squid-users] Squid with Kerberos auth

Re: [squid-users] Squid with Kerberos auth

Re: [squid-users] Squid with Kerberos auth

[squid-users] Squid with Kerberos auth

7 matches

Site Navigation

Mail list logo

Footer information