Re: [squid-users] Connection error

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 31 Jan 2011 23:48:15 +1300

On 31/01/11 18:44, Senthilkumar wrote:
> Thank you .
>
> We are using squid 3.1.8 with 100 children for ntlm scheme. We have
> about 500 users and around 75 req/sec.
>
> In the cache log rarely we see 100 pending ntlm requests and that time
> squid reconfigures automatically.
> Is it default behaviour of squid to reconfigure when ntlm are queued.?
>

No, reconfigure only happens when the administrator or some operating
system controls runs "squid -k reconfigure".

You may be seeing a crash and restart?

> In the cache log we can see following errors also.
>
> 2011/01/31 10:59:02| AuthConfig::CreateAuthUser: Unsupported or
> unconfigured/inactive proxy-auth scheme, 'Basic
> bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='
> 2011/01/31 10:59:18| AuthConfig::CreateAuthUser: Unsupported or
> unconfigured/inactive proxy-auth scheme, 'Basic
> bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='

Normal message for a proxy without Basic auth configured when the client
send Basic credentials to it.

Squid is supposed to pause requests during the configure time. So why
this shows up is a problem that needs to be found.

Amos

> Amos Jeffries wrote:
>> On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote:
>>> Hi Amos,
>>>
>>> I have followed the suggestions provided by you and if use deny
>>> without "all" i am getting pop up when i access denied sites, it is
>>> suppressed when i use all.
>>> We use ntlm scheme to authenticate with domain users, all users can
>>> authenticate without any prompt, while browsing out of 350 users only
>>> 5-6 users getting prompt rarely(around 2-3 times a day)
>>> There is no specific website or time the prompt appears. Please
>>> suggest some troubleshooting ideas and cause for it.
>>> The cache.log does not show any errors
>>
>> I'm not sure exactly which deny line you are describing as producing a
>> popup. The config below looks right. Where you deny based on group
>> lookups
>> the lines should end with "all", as you saw not having it there produces
>> the popup.
>>
>>
>> NTLM can suffer from a few issues on connections and some bugs in Squid.
>> Though both of these problems have been worked on and reduced in newer
>> releases.
>>
>> If one of the "allow" group lookups is somehow failing this may produce a
>> popup.
>>
>> I am not sure how one would check for these in production environment.
>> The
>> things to watch out for are the HTTP auth headers for the request before
>> during and after the prompt appears. Whether this is happening on a
>> connection while it stays up, or if the connection drops out on the
>> challenge. Whether it happened on a new connection using some non-NTLM
>> auth
>> (ie a Windows 7 machine trying an unexpected encryption, or some
>> background
>> application with the wrong keys).
>>
>> Amos
>>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Mon Jan 31 2011 - 10:48:21 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST