El 20/09/2012 5:55, Amos Jeffries escribió:
> Welcome to the real world. Software all has capacity limits. Someone is
> performing a *DoS* on your proxy using an internal link with higher
> capacity than your service software. What do you do about that?
> * close the hole (fix the app, disable it)
> * lower the clients service capacity (QoS limit them)
> * raise your software capacity (polish your squid.conf for performance,
> and add a blacklist on that apps requests to reject then with a 403
> instead of 407)
>
> ... then re-evaluate whether they are a problem.
>
> Hint: the faster your Squid responds the faster they will retry. Unless
> you manage to get Squid response capacity to be greater than the load
> facing it. Thus the QoS kind of appears to work even if it does not
> solve anything.
Thank you, I have decided reject with a 403 message and the problem has
been fixed.
I have used and acl in squid:
acl DeniedDomains dstdomain feeds.store.ovi.com
http_access deny DeniedDomains
>> I have found a person who have same problem (here:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-memory-issue-td3044458.html)
>>
>> but not solution is provide in that thread.
>>
>> The problem is that some Nokia application try to access to an URL, it
>> receive 407 error and try again ad infinitum. This cause high load after
>> few minutes and I need restart the squid/dansguardian services for
>> restore the correct load of my server.
>>
>> This problem affect to snmp daemon (who works through squid to do some
>> checks) and also cause NTLM auth problem.
>
> Er. yes. Maybe NTLM is a large part of the real problem and this is a
> side-effect?
> Hint: if the NTLM auth helper is being contacted the client *is* sending
> NTLM labeled credentials which need to be checked by it. The start 407
> message of the NTLM handshake is just the proxy saying it supports NTLM.
> A client which responded by re-trying without any credentials would
> simply get the same response back with no load on the helper.
I don't understand very well what you are trying say with this sentence.
If I understood you, first you say me that NTLM can be part of the
problem. But from your "hint" commentary, I understand that you are
saying me that NTLM auth helper hasn't been work yet at this level. How
can cause the problem an element wich doesn't take part in the process?.
I'm sorry, probably my confusion is produced by my poor english level,
so don't worry.
In any case, I think that NTLM auth helper and SNMP daemon were crashing
due to server overload.
Received on Tue Sep 25 2012 - 07:01:56 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 25 2012 - 12:00:06 MDT