[squid-users] Re: Squid with Kerberos auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 29 Dec 2011 23:44:54 -0000

It was an selinux problem. Disabling selinux solved the issue.

Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:jctlle$i63$1_at_dough.gmane.org...
> Can you run an strace against the process ?
>
> Markus
>
> "Wladner Klimach" <wladner_at_gmail.com> wrote in message
> news:CAP3mw_Eaz_v+QaQiZ+Vc1S0oyzaWwES1-FdhTezEabFRq7Ajew_at_mail.gmail.com...
>> Amos,
>>
>> so what could be causing so much load on cpu? When I run top i can see
>> there's no swap and the squid_kerb_auth is the process that causes
>> this high CPU usage. Is there any way i can check this helper? Here,
>> down low, is my squid.conf. I hope you point some light because i
>> don't believe squid runs in so such poor speed.
>>
>> auth_param negotiate program
>> /etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
>> -s HTTP/trotsky.redecamara.camara.gov.br
>> auth_param negotiate children 4
>> auth_param negotiate keep_alive on
>>
>> # ACLs externas para buscar grupo baseado em Kerberos.
>> external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
>> /etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
>> californio.redecamara.camara.gov.br -g
>> Internet_at_REDECAMARA.CAMARA.GOV.BR
>>
>> visible_hostname trotsky.redecamara.camara.gov.br
>> dns_nameservers 10.1.3.5
>>
>> hierarchy_stoplist cgi-bin ?
>> #acl liberados dstdomain "/etc/squid/liberados.txt"
>> acl ldap_group_check external squid_kerb_ldap
>> acl AUTENTICADO proxy_auth REQUIRED
>> http_access allow ldap_group_check
>> # Recommended minimum configuration:
>> #
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>> #acl teste external Internet teste
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl SSL_ports port 1863
>> acl SSL_ports port 563
>> acl SSL_ports port 465
>> acl SSL_ports port 995
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 563 # https
>> acl Safe_ports port 465 # https
>> acl Safe_ports port 995 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>>
>> http_access deny manager
>>
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>
>> acl INTRANET dst 10.0.0.0/8
>> acl EXE urlpath_regex -i \.exe$
>> acl ZIP urlpath_regex -i \.zip$
>> acl ARJ urlpath_regex -i \.arj$
>> acl MP3 urlpath_regex -i \.mp3$
>> acl RAR urlpath_regex -i \.rar$
>> acl GZ urlpath_regex -i \.gz$
>> acl ISO1 urlpath_regex -i \.iso\?+$
>> acl EXE1 urlpath_regex -i \.exe\?+$
>> acl ZIP1 urlpath_regex -i \.zip\?+$
>> acl ARJ1 urlpath_regex -i \.arj\?+$
>> acl MP31 urlpath_regex -i \.mp3\?+$
>> acl RAR1 urlpath_regex -i \.rar\?+$
>> acl GZ1 urlpath_regex -i \.gz\?+$
>>
>>
>> http_access allow INTRANET
>>
>> http_access allow localhost
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>> cache_store_log none
>> maximum_object_size 16384 KB
>> minimum_object_size 0 KB
>> maximum_object_size_in_memory 50 KB
>> cache_swap_low 95
>> cache_swap_high 98
>> ipcache_size 6000
>> ipcache_low 90
>> ipcache_high 92
>> fqdncache_size 6000
>> memory_replacement_policy heap GDSF
>> cache_replacement_policy heap LFUDA
>> half_closed_clients off
>> memory_pools off
>>
>> cache_dir diskd /cache/squid 10000 64 256 Q1=64 Q2=72
>> cache_mem 2048 MB
>> # Leave coredumps in the first cache dir
>> coredump_dir /var/spool/squid
>> max_filedescriptors 1024
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> Regards,
>>
>> Wladner
>>
>>
>>
>> 2011/12/20 Amos Jeffries <squid3_at_treenet.co.nz>:
>>> On 21/12/2011 3:03 a.m., Wladner Klimach wrote:
>>>>
>>>> But the problem is that i'm not running IPv6 in my network. That's why
>>>
>>> "Welcome to your IPv6 enabled transit network. Whether you like it, or
>>> not."
>>> - Rob Issac, 2008.
>>> (http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf)
>>>
>>> Try with -n parameter to lsof. You might get a surprise.
>>>
>>> The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may
>>> also
>>> be what you are seeing. Squid-3.1+ will detect stack types and use this
>>> optimization for receiving ports if it can.
>>>
>>>
>>>> I've asked if this could be a problem. And the cpu usage hiting 99%
>>>> with only one user? Does it look like hardware limitation? When i'm
>>>> not using authentication, the cpu usage doesn't hit 50%.
>>>
>>>
>>> Unlikely with one user.
>>>
>>> All Squid does for auth is take the tokens out of HTTP headers and relay
>>> it
>>> to the auth backend. Then add the backends reply token to the HTTP
>>> response
>>> for the client. Very minimal CPU operations in Squid, unknown amount in
>>> the
>>> backend. Maybe (max) 32KB of token copied each way, plus the HTTP bits.
>>>
>>> Amos
>>
>
>
>
Received on Thu Dec 29 2011 - 23:45:16 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 30 2011 - 12:00:06 MST