Amos, so what could be causing so much load on cpu? When I run top i can see there's no swap and the squid_kerb_auth is the process that causes this high CPU usage. Is there any way i can check this helper? Here, down low, is my squid.conf. I hope you point some light because i don't believe squid runs in so such poor speed. auth_param negotiate program /etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth -s HTTP/trotsky.redecamara.camara.gov.br auth_param negotiate children 4 auth_param negotiate keep_alive on # ACLs externas para buscar grupo baseado em Kerberos. external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S californio.redecamara.camara.gov.br -g Internet@xxxxxxxxxxxxxxxxxxxxxxxx visible_hostname trotsky.redecamara.camara.gov.br dns_nameservers 10.1.3.5 hierarchy_stoplist cgi-bin ? #acl liberados dstdomain "/etc/squid/liberados.txt" acl ldap_group_check external squid_kerb_ldap acl AUTENTICADO proxy_auth REQUIRED http_access allow ldap_group_check # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 #acl teste external Internet teste # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl SSL_ports port 1863 acl SSL_ports port 563 acl SSL_ports port 465 acl SSL_ports port 995 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 563 # https acl Safe_ports port 465 # https acl Safe_ports port 995 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS acl INTRANET dst 10.0.0.0/8 acl EXE urlpath_regex -i \.exe$ acl ZIP urlpath_regex -i \.zip$ acl ARJ urlpath_regex -i \.arj$ acl MP3 urlpath_regex -i \.mp3$ acl RAR urlpath_regex -i \.rar$ acl GZ urlpath_regex -i \.gz$ acl ISO1 urlpath_regex -i \.iso\?+$ acl EXE1 urlpath_regex -i \.exe\?+$ acl ZIP1 urlpath_regex -i \.zip\?+$ acl ARJ1 urlpath_regex -i \.arj\?+$ acl MP31 urlpath_regex -i \.mp3\?+$ acl RAR1 urlpath_regex -i \.rar\?+$ acl GZ1 urlpath_regex -i \.gz\?+$ http_access allow INTRANET http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 cache_store_log none maximum_object_size 16384 KB minimum_object_size 0 KB maximum_object_size_in_memory 50 KB cache_swap_low 95 cache_swap_high 98 ipcache_size 6000 ipcache_low 90 ipcache_high 92 fqdncache_size 6000 memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA half_closed_clients off memory_pools off cache_dir diskd /cache/squid 10000 64 256 Q1=64 Q2=72 cache_mem 2048 MB # Leave coredumps in the first cache dir coredump_dir /var/spool/squid max_filedescriptors 1024 # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Regards, Wladner 2011/12/20 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 21/12/2011 3:03 a.m., Wladner Klimach wrote: >> >> But the problem is that i'm not running IPv6 in my network. That's why > > "Welcome to your IPv6 enabled transit network. Whether you like it, or not." > - Rob Issac, 2008. > (http://www.ausnog.net/files/ausnog-03/presentations/ausnog03-ward-IPv6_enabled_network.pdf) > > Try with -n parameter to lsof. You might get a surprise. > > The TCP "hybrid" stack can use IPv6 sockets for IPv4 traffic, this may also > be what you are seeing. Squid-3.1+ will detect stack types and use this > optimization for receiving ports if it can. > > >> I've asked if this could be a problem. And the cpu usage hiting 99% >> with only one user? Does it look like hardware limitation? When i'm >> not using authentication, the cpu usage doesn't hit 50%. > > > Unlikely with one user. > > All Squid does for auth is take the tokens out of HTTP headers and relay it > to the auth backend. Then add the backends reply token to the HTTP response > for the client. Very minimal CPU operations in Squid, unknown amount in the > backend. Maybe (max) 32KB of token copied each way, plus the HTTP bits. > > Amos
