Hi Guys,
After two weeks successful running several authentication in my development environment with average 10-20 users, i encourage myself to put in my production. it was up and ran with +-1000 users but only took 3-5 hours then squid suddenly stopped with error:
2015/03/06 15:07:59| negotiate_wrapper: fgets() failed! dying..... errno=1 (Operation not permitted)
2015/03/06 15:07:59| negotiate_wrapper: fgets() failed! dying..... errno=1 (Operation not permitted)
2015/03/06 15:07:59| negotiate_wrapper: fgets() failed! dying..... errno=1 (Operation not permitted)
2015/03/06 15:07:59| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJKoZIhvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARupdwIysaz6zjRSqsI8V4K0X67z4t5a9aOT7WPlyWRrp+1ol2zL6CYTcfZIyAq8q3D00mf+vpIeoiDDmkUkr+vXN+xkpXkWdX5pMD1hBrF4EDOL1RIp9XjpkdfIcEgg8Oia0Ay153sPK3+Tif4bGE= RickyC@company.local
'
2015/03/06 15:07:59| negotiate_wrapper: Return 'AF oYG1MIGyoAMKAQChCwYJKoZIhvcSAQICooGdBIGaYIGXBgkqhkiG9xIBAgICAG+BhzCBhKADAgEFoQMCAQ+ieDB2oAMCARKibwRtX5xuxTxrgsKQpg3Y+kUXLOng15XJ7eDByao5YtNPZByv/zRtrz13QgKkCuk+VkXnCAzaii0ri4Mxvd+4BoskIrjf5FuPP3W59wMTCtkPJD85igR/OmQ4Ch09DJ51WGwnOizMuCW+9jg6EsFa1Q== JanTS@company.local
i use ubuntu server 14.04 with newest squid 3.5.2
Squid Cache: Version 3.5.2
Service Name: squid
configure options: '--enable-build-info' '--enable-removal-policies=lru,heap' '--enable-ltdl-install' '--enable-storeio=ufs,aufs,rock' '--enable-auth-basic=LDAP' '--enable-auth-negotiate=wrapper,kerberos' '--enable-external-acl-helpers=LDAP_group' '--enable-translation' '--enable-ssl-crtd' '--enable-gnuregex' '--enable-xmalloc-debug' '--enable-xmalloc-debug-trace' '--enable-xmalloc-statistics' '--enable-async-io' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log' '--enable-kill-parent-hack' '--enable-htpc' '--enable-forw-via-db' '--enable-cache-digests' '--enable-underscores' '--enable-x-accelerator-vary' '--enable-esi' '--enable-inline' '--enable-linux-netfilter' '--with-openssl' '--with-large-files'
here is my squid.conf:
# ===================== ACL Cachemgr ============================================
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
acl managerAdmin src "/usr/local/squid/etc/mgradmin.txt"
acl stream url_regex -i "/usr/local/squid/etc/stream"
acl download url_regex -i "/usr/local/squid/etc/download"
acl whitelist url_regex -i "/usr/local/squid/etc/whitelist"
acl blacklist url_regex -i "/usr/local/squid/etc/blacklist"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl http proto http
acl CONNECT method CONNECT
# ==================== Authenticate using negotiate_wrapper =====================
auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 50 startup=0 idle=1
auth_param negotiate keep_alive off
# ==================== Authenticate using NTLM ==================================
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive off
# ==================== Authenticate using Basic LDAP ============================
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b "dc=company,dc=local" -D squid@company.local -w "password" -f sAMAccountName=%s -h idhqvdc01.company.local,idhqvdc02.company.local
auth_param basic children 5 startup=0 idle=1
auth_param basic realm AGDS Proxy: Please enter your username and password domain
auth_param basic credentialsttl 1 minute
# ==================== Authenticate to Group Security Actice Directory ==========
external_acl_type memberof ipv4 children-max=10 children-startup=1 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -R -K -S -b "dc=company,dc=local" -D squid@company.local -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%g,ou=groups,ou=resources,dc=company,dc=local))" -h idhqvdc01.company.local,idhqvdc02.company.local
acl auth proxy_auth REQUIRED
# ==================== ACL Access hour user =====================================
acl ach1 external memberof "/usr/local/squid/etc/ach1.txt" # access hour 1
acl ach2 external memberof "/usr/local/squid/etc/ach2.txt" # access hour 2
acl ach3 external memberof "/usr/local/squid/etc/ach3.txt" # access hour 3
acl ach4 external memberof "/usr/local/squid/etc/ach4.txt" # access hour 4
acl ach2time time D 10:00-11:59
acl ach2time time D 13:00-14:59
acl ach3time time D 08:00-09:59
acl ach3time time D 15:00-16:59
acl ach4time time D 08:00-16:59
acl bebastime time D 00:01-07:59 12:00-13:59 17:00-23:59
# ==============================================================================
http_access deny !Safe_ports # Deny requests to certain unsafe ports
http_access deny CONNECT !SSL_ports # Deny CONNECT to other than secure SSL ports
http_access allow manager localhost # Only allow cachemgr access from localhost
http_access allow manager managerAdmin
http_access deny manager
# ==============================================================================
#http_access allow localnet
http_access allow localhost
http_access deny blacklist !bebastime
http_access allow http Safe_ports whitelist
http_access allow CONNECT SSL_ports whitelist
#http_access deny all !auth
#http_access allow http Safe_ports ach1
#http_access allow CONNECT SSL_ports ach1
#http_access allow http Safe_ports ach2 !ach2time
#http_access allow CONNECT SSL_ports ach2 !ach2time
#http_access allow http Safe_ports ach3 !ach3time
#http_access allow CONNECT SSL_ports ach3 !ach3time
#http_access allow http Safe_ports ach4 !ach4time
#http_access allow CONNECT SSL_ports ach4 !ach4time
#http_access allow accesshours1
#http_access allow accesshours2 !ach2time
#http_access allow accesshours3 !ach3time
#http_access allow accesshours4 !ach3time
http_access allow ach1
http_access allow ach2 !ach2time
http_access allow ach3 !ach3time
http_access allow ach4 !ach4time
http_access deny all # Deny all other access to this proxy
# ==============================================================================
cache_dir rock /cache1/squid 97485 max-swap-rate=200 swap-timeout=300
cache_dir rock /cache2/squid 97485 max-swap-rate=200 swap-timeout=300
coredump_dir /usr/local/squid/var/cache/squid
# =============================== Refresh Pattern ==============================
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user proxy
visible_hostname proxy.company.local
cache_mgr proxyastragraphia
cachemgr_passwd secret all
#err_page_stylesheet /usr/local/squid/etc/default.css
pinger_enable off
#workers 2
i was tried to put different acl and put my auth_param at the top of my conf but still dying error. what should i do?
any assistant or hint would be very appreciate. thanks
Donny Vibianto
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users