thanxs,
our assumption is, that it is related to helper management. with 3.4. there is a "new helper protocol", right?
our environment worked with 3.2 without problems. now with the jump to 3.4. it will not work anymore. so number of requests are somehow important but as it worked in the past...
if we go without ntlm_auth we can't see any high cpu load. so the first thought ACL and eg. regex problems can be
discarded. maybe there are some cross influences. but we think it lies somewhere in helpers/auth.
we switched to 3.4 for two reasons:
1) we have a squid-hierarchy setup where user proxy talks to 4 parent proxies in a load balancer way. in the past we could switch of one of the parents and everything still was working. with 3.2. as soon as one of the four parents was missing internet access gets slower and slower. with 3.4. it is working.
2) 3.3. was no option as it hat problems with ACL and access internet sites with their ip-adresses. we have a couple of acls where we choose the right route (intranet/extranet/internet). in the past we could do www.google.de and http://173.194.35.184. but with 3.3 the ip-address didn't work anymore.
3) so this was the reason to jump from 3.2/3.1 to 3.4
> -----Ursprüngliche Nachricht-----
> Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Gesendet: Montag, 6. Januar 2014 22:02
> An: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth
>
> On 2014-01-07 01:52, Rietzler, Markus (RZF, SG 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > hi,
> > we have switched from squid 3.2.x to 3.4.2. in our environment we are
> > using squid with the ntlm_auth helper to do NTLM user auth against
> > windows DC.
> > after switching to squid 3.4.1 squid uses nearly 100% cpu after a few
> > minutes. with squid 3.2.x everythings worked well.
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 96 startup=24 idle=12
> > auth_param ntlm keep_alive on
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5 startup=2 idle=1
> > auth_param basic realm Internet-Zugriff [Benutzername/Kennwort aus BK]
> > Nutzung des Internets nur zum Dienstgebrauch!
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> >
> > we have compiled with smp-support but at the moment using squid only
> > with one worker, Kerberos support is compiled in but not used in
> > squid.conf
> > no negotiate configs in squid. is this enough or should we try without
> > negotiate support, could this influence and cause this troubles?
> >
> > Squid Cache: Version 3.4.2
> > configure options: '--enable-auth-basic=MSNT,SMB'
> > '--enable-auth-basic' '--enable-auth-ntlm'
> > '--enable-auth-negotiate=kerberos' '--enable-delay-pools'
> > '--enable-follow-x-forwarded-for' '--enable-removal-policies=lru,heap'
> > '--with-filedescriptors=4096' '--with-winbind' '--with-async-io'
> > '--enable-storeio=ufs,aufs,diskd,rock' '--disable-ident-lookups'
> > '--prefix=/rzf/produkte/www/squid' '--enable-underscores'
> > '--with-large-files'
> > 'PKG_CONFIG_PATH=/opt/gnome/lib64/pkgconfig:/opt/gnome/share/pkgconfig'
> > --enable-ltdl-convenience
> >
> > /usr/bin/ntlm_auth -V
> > Version 3.6.3-0.39.1-3012-SUSE-CODE11-x86_64
> >
> >
> >
> > we do not use wbinfo_group we only need the username. all users are
> > allowed to surf the internet, there are some "groups" but they are
> > retrieved "external" as they also are used in ufdbguard to filter some
> > categories. so only ntlm_auth for username is needed and used.
> >
> > we only have short testet squid 3.3., because there we had the
> > problem, that the internet access to sites with ip-address didn't work
> > or are routed the wrong way (but that is another story, not related to
> > this one).
> >
> > so the problem is, that with squid 3.4.2 the cpu usage rises to 100%.
> > after squid -k reconfigure the cpu-usage drops but then after a fiew
> > minutes rises again to 100%.
> >
> > so where to look? I have tried debug_options 82,9 but now further
> > information in cache.log
>
> Section 82 is specific to the external_acl_typ helpers. Please use ALL,9
> on the cache log trace if possible. It may be something unrelated to
> auth (section 29) or helpers (section 84).
>
> Possibly strace may be of some use at the point where CPU is loaded to
> see what system calls are being used (if any).
>
> Amos
Received on Tue Jan 07 2014 - 09:21:56 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 08 2014 - 12:00:04 MST