Hi Folks, Here it is: Hardware specs: HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01 SO specs: Centos 5.5 X86-64 - 2.6.18-194.8.1.el5 Windows Server 2003 R2 (AD) Packages: squid-2.6.STABLE21-6.el5 krb5-libs-1.6.1-36.el5_5.5 pam_krb5-2.2.14-15 pam_krb5-2.2.14-15 krb5-libs-1.6.1-36.el5_5.5 krb5-workstation-1.6.1-36.el5_5.5 squid.conf: visible_hostname hostname.domain http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin ? ### no auth acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth" acl Servidores src "/opt/catfish/etc/rules/src/Servidores" http_access allow Servidores RepoNoauth auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s HTTP/hostname.domain auth_param negotiate children 1500 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 authenticate_ttl 12 hours auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Cluster Proxy auth_param basic credentialsttl 2 hours negative_ttl 10 seconds cache_store_log none max_filedesc 32768 cache_swap_high 96 strip_query_terms off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl QUERY urlpath_regex cgi-bin \? acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488 563 591 777 800-65535 acl CONNECT method CONNECT acl HEAD method HEAD ### alterado acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443 488 563 591 777 800-65535 acl all src 0.0.0.0-255.255.255.255 acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255 acl allUsuariosNegados src 0.0.0.0-255.255.255.255 acl snmppublic snmp_community public acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24 delay_pools 3 ### alguns sites lentos ### gnutela acl portaslentas port 6346 1214 delay_class 1 1 delay_access 1 allow portaslentas delay_parameters 1 666/666 ### filmes acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes" acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov delay_class 2 2 delay_access 2 allow sitesdefilme delay_parameters 2 -1/-1 10000/10000 5000/5000 ### Toledo acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov acl rangetoledo src 10.194.0.0-10.194.255.255 delay_class 3 1 delay_access 3 allow filmesemusicas rangetoledo delay_parameters 3 666/666 # expanions ilha consulta acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion" acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion" http_access allow IPExpanion Expanion http_access deny all IPExpanion # sites com acesso permitido sem autenticar acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth" http_access allow all SitesNoauth always_direct allow SitesNoauth http_access allow HEAD SitesNoauth # skype liberar acl skype_port port 443 acl connect_skype method CONNECT acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs" http_access allow LiberarSkype skype_port connect_skype # acl's para logins acl Todos proxy_auth REQUIRED acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free" acl freeip src "/opt/catfish/etc/auth/rules/freeip" acl LiberarIMsauth proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosLiberarIMs" ### bagre acls acl UsuariosBloquearIMs proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosBloquearIMs" acl UsuariosLiberarIMs proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosLiberarIMs" acl IPAcessoDefinidoNegado src "/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado" acl IPAcessoDefinidoHorarioDeAlmoco src "/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco" acl IPAcessoDefinidoLiberado src "/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado" acl UsuariosNegados proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosNegados" acl UsuariosHorarioDeAlmoco proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco" acl UsuariosLiberados proxy_auth_regex "/opt/catfish/etc/rules/src/UsuariosLiberados" acl IPAcessoPadraoHorarioDeAlmoco src "/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco" acl IPAcessoPadraoLiberado src "/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado" acl IPAcessoPadraoNegado src "/opt/catfish/etc/rules/src/IPAcessoPadraoNegado" acl InstantMessengersAllow url_regex "/opt/catfish/etc/rules/url_regex/InstantMessengersAllow" acl InstantMessengers url_regex "/opt/catfish/etc/rules/url_regex/InstantMessengers" acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth" acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs" acl IPAcessoBloquearIMs src "/opt/catfish/etc/rules/src/IPAcessoBloquearIMs" acl SitesBloqueados url_regex "/opt/catfish/etc/rules/url_regex/SitesBloqueados" acl SitesPermitidos url_regex "/opt/catfish/etc/rules/url_regex/SitesPermitidos" acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco" acl LiberarEnderecosInternos src "/opt/catfish/etc/rules/src/LiberarEnderecosInternos" ### /bagre acls # acl's para sites acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna" acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes" # malware block list acl malware_block_list url_regex -i "/opt/catfish/etc/rules/url_regex/malware_block_list.txt" no_cache deny QUERY http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ###alterado snmp_access allow snmppublic localhost snmp_access allow snmppublic gerenciador snmp_access deny all snmp_port 3420 snmp_incoming_address 0.0.0.0 snmp_outgoing_address 0.0.0.0 http_access allow Todos Excessoes free http_access allow Excessoes freeip http_access allow LiberarIMsauth InstantMessengersAllow http_access deny malware_block_list ### bagre rules http_access allow UsuariosLiberarIMs InstantMessengersAllow http_access deny UsuariosBloquearIMs InstantMessengers http_access allow IPAcessoLiberarIMs InstantMessengersAllow http_access deny IPAcessoBloquearIMs InstantMessengers http_access deny SitesBloqueados http_access allow SitesPermitidos http_access deny IPAcessoDefinidoNegado http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco http_access deny IPAcessoDefinidoHorarioDeAlmoco http_access allow IPAcessoDefinidoLiberado http_access deny UsuariosNegados allUsuariosNegados http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco http_access allow UsuariosLiberados http_access allow IPAcessoPadraoLiberado http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco http_access deny IPAcessoPadraoHorarioDeAlmoco http_access deny IPAcessoPadraoNegado http_access allow LiberarEnderecosInternos ### /bagre rules deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco IPAcessoPadraoHorarioDeAlmoco deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados deny_info MALWARE malware_block_list http_reply_access allow all icp_access allow all cache_effective_user squid cache_mgr cachemgr@xxxxxxxxxxxx maximum_object_size 4096 KB access_log /var/log/squid/access.log squid logfile_rotate 5 error_directory /usr/share/squid/errors/Myerrors cache_dir ufs /var/spool/squid 4096 16 256 cache_mem 4096 MB half_closed_clients off cache deny all Problem: Everything works fine, except because the load of system gets 1000 and keeps increasing when using Kerberos authentication which results in a slow response from proxy server to users. When using only ntlm authentication (commented the line of Kerberos authentication), the load is no more than 2, which results in a fast response of proxy server to users. CPU utilization is always low. No swap utilization by kernel. In my environment test, with 20 users I always get fast responses. The problem occurs when I put the server in production. What is happening with Kerberos authentication ? -- "Computers are like air-conditioners. They stop working when you open Windows." BillieGDJoe
