Can you try to disable the replay cache as described here and let me know
the load please ?
Thank you
Markus
"Billie Joe" <billiegdjoe@xxxxxxxxx> wrote in message
news:AANLkTi=ZU4Qs-rBjxDeuvyYQbokxJ0j1Aw+fx+EpMQQc@xxxxxxxxxxxxxxxxx
Hi Folks,
Here it is:
Hardware specs:
HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01
SO specs:
Centos 5.5 X86-64 - 2.6.18-194.8.1.el5
Windows Server 2003 R2 (AD)
Packages:
squid-2.6.STABLE21-6.el5
krb5-libs-1.6.1-36.el5_5.5
pam_krb5-2.2.14-15
pam_krb5-2.2.14-15
krb5-libs-1.6.1-36.el5_5.5
krb5-workstation-1.6.1-36.el5_5.5
squid.conf:
visible_hostname hostname.domain
http_port 3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
### no auth
acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth"
acl Servidores src "/opt/catfish/etc/rules/src/Servidores"
http_access allow Servidores RepoNoauth
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
HTTP/hostname.domain
auth_param negotiate children 1500
auth_param negotiate keep_alive on
auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
authenticate_ttl 12 hours
auth_param ntlm keep_alive on
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Cluster Proxy
auth_param basic credentialsttl 2 hours
negative_ttl 10 seconds
cache_store_log none
max_filedesc 32768
cache_swap_high 96
strip_query_terms off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl QUERY urlpath_regex cgi-bin \?
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488
563 591 777 800-65535
acl CONNECT method CONNECT
acl HEAD method HEAD
### alterado
acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443
488 563 591 777 800-65535
acl all src 0.0.0.0-255.255.255.255
acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255
acl allUsuariosNegados src 0.0.0.0-255.255.255.255
acl snmppublic snmp_community public
acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24
delay_pools 3
### alguns sites lentos
### gnutela
acl portaslentas port 6346 1214
delay_class 1 1
delay_access 1 allow portaslentas
delay_parameters 1 666/666
### filmes
acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes"
acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov
delay_class 2 2
delay_access 2 allow sitesdefilme
delay_parameters 2 -1/-1 10000/10000 5000/5000
### Toledo
acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov
acl rangetoledo src 10.194.0.0-10.194.255.255
delay_class 3 1
delay_access 3 allow filmesemusicas rangetoledo
delay_parameters 3 666/666
# expanions ilha consulta
acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion"
acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion"
http_access allow IPExpanion Expanion
http_access deny all IPExpanion
# sites com acesso permitido sem autenticar
acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
http_access allow all SitesNoauth
always_direct allow SitesNoauth
http_access allow HEAD SitesNoauth
# skype liberar
acl skype_port port 443
acl connect_skype method CONNECT
acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
http_access allow LiberarSkype skype_port connect_skype
# acl's para logins
acl Todos proxy_auth REQUIRED
acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free"
acl freeip src "/opt/catfish/etc/auth/rules/freeip"
acl LiberarIMsauth proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
### bagre acls
acl UsuariosBloquearIMs proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosBloquearIMs"
acl UsuariosLiberarIMs proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
acl IPAcessoDefinidoNegado src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado"
acl IPAcessoDefinidoHorarioDeAlmoco src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco"
acl IPAcessoDefinidoLiberado src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado"
acl UsuariosNegados proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosNegados"
acl UsuariosHorarioDeAlmoco proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco"
acl UsuariosLiberados proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberados"
acl IPAcessoPadraoHorarioDeAlmoco src
"/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco"
acl IPAcessoPadraoLiberado src
"/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado"
acl IPAcessoPadraoNegado src
"/opt/catfish/etc/rules/src/IPAcessoPadraoNegado"
acl InstantMessengersAllow url_regex
"/opt/catfish/etc/rules/url_regex/InstantMessengersAllow"
acl InstantMessengers url_regex
"/opt/catfish/etc/rules/url_regex/InstantMessengers"
acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
acl IPAcessoBloquearIMs src
"/opt/catfish/etc/rules/src/IPAcessoBloquearIMs"
acl SitesBloqueados url_regex
"/opt/catfish/etc/rules/url_regex/SitesBloqueados"
acl SitesPermitidos url_regex
"/opt/catfish/etc/rules/url_regex/SitesPermitidos"
acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco"
acl LiberarEnderecosInternos src
"/opt/catfish/etc/rules/src/LiberarEnderecosInternos"
### /bagre acls
# acl's para sites
acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna"
acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes"
# malware block list
acl malware_block_list url_regex -i
"/opt/catfish/etc/rules/url_regex/malware_block_list.txt"
no_cache deny QUERY
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
###alterado
snmp_access allow snmppublic localhost
snmp_access allow snmppublic gerenciador
snmp_access deny all
snmp_port 3420
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 0.0.0.0
http_access allow Todos Excessoes free
http_access allow Excessoes freeip
http_access allow LiberarIMsauth InstantMessengersAllow
http_access deny malware_block_list
### bagre rules
http_access allow UsuariosLiberarIMs InstantMessengersAllow
http_access deny UsuariosBloquearIMs InstantMessengers
http_access allow IPAcessoLiberarIMs InstantMessengersAllow
http_access deny IPAcessoBloquearIMs InstantMessengers
http_access deny SitesBloqueados
http_access allow SitesPermitidos
http_access deny IPAcessoDefinidoNegado
http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco
http_access deny IPAcessoDefinidoHorarioDeAlmoco
http_access allow IPAcessoDefinidoLiberado
http_access deny UsuariosNegados allUsuariosNegados
http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco
http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco
http_access allow UsuariosLiberados
http_access allow IPAcessoPadraoLiberado
http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco
http_access deny IPAcessoPadraoHorarioDeAlmoco
http_access deny IPAcessoPadraoNegado
http_access allow LiberarEnderecosInternos
### /bagre rules
deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco
IPAcessoPadraoHorarioDeAlmoco
deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco
deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados
deny_info MALWARE malware_block_list
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_mgr cachemgr@xxxxxxxxxxxx
maximum_object_size 4096 KB
access_log /var/log/squid/access.log squid
logfile_rotate 5
error_directory /usr/share/squid/errors/Myerrors
cache_dir ufs /var/spool/squid 4096 16 256
cache_mem 4096 MB
half_closed_clients off
cache deny all
Problem:
Everything works fine, except because the load of system gets 1000 and
keeps increasing when using Kerberos authentication which results in a
slow response from proxy server to users. When using only ntlm
authentication (commented the line of Kerberos authentication), the
load is no more than 2, which results in a fast response of proxy
server to users. CPU utilization is always low. No swap utilization by
kernel. In my environment test, with 20 users I always get fast
responses. The problem occurs when I put the server in production.
What is happening with Kerberos authentication ?
--
"Computers are like air-conditioners.
They stop working when you open Windows."
BillieGDJoe