On Thu, 16 Sep 2004 09:05:47 +0200 (CEST), Henrik Nordstrom
<hno@squid-cache.org> wrote:
> On Thu, 16 Sep 2004, Rob H wrote:
>
> > The problem is that during busy periods many pages are being displayed
> > with many broken images & frequently the browser (IE6) displays the
> > "Cannot find server or DNS error" message.
>
> First consult your cache.log file to see if there is any obvious
> complaints from Squid.
>
Nothing out of the ordinary in the cache.log - just a few entries like this:
2004/09/17 09:29:52| urlParse: Illegal character in hostname
'$$mainrs.privatewebservername'
2004/09/17 09:30:06| sslWriteClient: FD 120: write failure: (104)
Connection reset by peer.
- and I know that these are not related.
However I do think I have narrowed it down to an NTLM or
authentication issue - it is something I should have spotted a week
ago, but as is typical - I have overlooked a simple thing whilst
delving into the complicated.
What I noticed was that firstly the problem was also occuring in non
peak times also - it just appeared to be less frequent (or there
weren't as many people screaming at me about it). I started browsing
pages with 20+ images on them until I got a broken image - found the
URL of that image and looked for it in the access.log. What I found
where two TCP_DENIED/407 entries for the missing but no TCP_MISS,
TCP_HIT (or any other entry related to that particular URL):
1095301093.729 1 10.49.4.164 TCP_DENIED/407 1660 GET
http://gallery.yimg.com/c/100wm/11451783.jpg - NONE/- text/html
I repeated this 10 times over a 2 hour period and saw the same result.
I know that because of the NTLM handshake that the log shows two GET's
resulting in TCP_DENIED entries followed by a GET resulting in a HIT
or MISS - but in this case it appearingly randomly misses out on
receiving the third GET.
I have turned off authentication and browsing has been stable for the
past 20 hours.
My next step is to set up a sniffer to see if it is the client that is
failing to send the request, or if the client is sending the request
but squid isn't doing anything with it.
Here are some relevant configs:
squid.conf
------------------------------
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 50
auth_param ntlm max_challenge_reuses 5000
auth_param ntlm max_challenge_lifetime 480 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Proxy Server
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group concurrency=25 %LOGIN
/usr/local/squid/libexec/wb_group
acl AuthorisedUsers proxy_auth REQUIRED
acl Group_WebBrowsers external NT_global_group Web_Browsers
http_access allow AuthorisedUsers Group_WebBrowsers
------------------------------
samba.conf
------------------------------
[global]
workgroup = OURDOMAIN
password server = OURPDC
server string = Proxy Server
log file = /var/log/samba/log.%m
max log size = 500000
security = domain
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
preferred master = no
wins support = no
wins server= IP OF OUR WINS SERVER
wins proxy = no
dns proxy = no
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 120
------------------------------
Thanks for your help and suggestions
--- Regards, Rob HadfieldReceived on Thu Sep 16 2004 - 18:25:01 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT
