Search squid archive

Re: [Troubleshoot] Squid 3.3 - Lots of 403 erros when reducing the workers number

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/8/22 10:15, Xavier Lecluse wrote:


We are using two squid proxies (Squid 3.3)
Squid v3 is not officially supported. My answers below may apply to Squid v3, but they are based on Squid v5+. 



In order to address some issues with Java clients, we tried to lower
the worker directive from 8 to 1, because of the relative low number
of simultaneous connections on our SSquid servers (about 100rq/s) After reducing the worker value to 1, and restarting the proxies, we 
observed a great number of 403 errors, so we decided to rollback to 8
workers.



- How the number of workers and these 403 errors can be correlated ?
I do not know the exact correlation vector in your environment, but fewer workers means, among other things, smaller _aggregate_ authentication cache size and higher load on individual authentication helpers. To pinpoint the correlation, we would need to know _why_ Squid is generating 403 (Forbidden) errors. 



- Is there any "recommandations" about the number of workers to use,
for a given number of request/s ?
Workers are primarily a performance optimization. For related tuning suggestions, please see https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F 



The inital problem is from some java clients, which are using two TCP
sessions, one for the authentication, and another one for the HTTP(s)
requests. The fact is that the "second" session is not always opened
on the same worker, so ot considers that the authentication step has
not already been done.



Is there a way to address this issue ?
If (a request on) the second connection has enough information to link it to the first/authenticated request/connection, then it may be possible to configure Squid and write authentication helpers in such a way that the "other" worker knows that the client of the second connection has already authenticated. The details would depend on the authentication scheme and that "linking" mechanism. 


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux