<div dir="ltr"><div>Hi Amos,<br><br></div>regrets, I am late. <br><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 21 April 2015 at 09:15, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On 20/04/2015 7:31 p.m., Jagannath Naidu wrote:<br>
> Hi,<br>
><br>
> I am having this issue very frequently. Please help on this.<br>
><br>
> I get these errors randomly, mostly when usage is at very peak. (800 users)<br>
><br>
><br>
> /var/log/squid/cache.log<br>
><br>
> 2015/04/20 12:37:40| externalAclLookup: 'wbinfo_group_helper' queue<br>
> overload (ch=0x7fc99e2ce518)<br>
<br>
</span>What do you think "overload" means?<br>
The helper is unable to cope with the traffic load being passed to it.<br>
<br>
Here is the biggest hint:<br>
<span class="">><br>
> in /var/log/messages, I get the following errors<br>
><br>
> pr 20 12:59:15 GGNPROXY01 winbindd[1910]: winbindd: Exceeding 200 client<br>
> connections, no idle connection found<br>
<br>
<br>
<br>
<br>
</span><span class="">> Then squid stops working. For squid to start work again, I have to dlete<br>
> the cache and restart the squid "squid -k reconfigure", and then squid<br>
> restart.<br>
<br>
</span>What Squid version are you using?<br>
<span class=""><br></span></blockquote><div>my squid version squid-3.1.10-19.el6_4.x86_64<br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
><br>
> squid.conf<br>
><br>
> max_filedesc 17192<br>
> acl manager proto cache_object<br>
> acl localhost src <a href="http://172.16.50.61/24" target="_blank">172.16.50.61/24</a><br>
<br></span></blockquote><div>changed to "acl localhost src <span class="">172.16.50.6<u>1</u>" </span>already<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
</span>You have an entire /24 (256 IPs) assigned to this machine?<br>
<br>
I think you need to remove that "/24" part if the *.61 is the local<br>
machines *public* IP.<br>
<span class=""><br>
<br>
> http_access allow manager localhost<br>
> dns_nameservers 172.16.3.34 10.1.2.91<br>
> acl allowips src 172.16.58.187 172.16.16.192 172.16.58.113 172.16.58.63<br>
> 172.16.58.98 172.16.60.244 172.16.58.165 172.16.58.157<br>
> http_access allow allowips<br>
<br>
> auth_param basic realm Squid proxy-caching web server<br>
> auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0<br>
> children=60 %LOGIN /usr/lib64/squid/<a href="http://wbinfo_group.pl" target="_blank">wbinfo_group.pl</a><br>
<br>
</span>The above two very mangled config lines are useless. Remove them.<br>
<br>
> acl localnet src <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a><br></blockquote><div><br><br></div><div>changed <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Its a bit strange that none of the localhost machine IPs<br>
(172.16.50.0-172.16.50.255) are part of the LAN its plugged into<br>
172.16.0.0-172.16.0.255.<br>
<span class=""><br>
<br>
> acl localnet src fc00::/7 # RFC 4193 local private network range<br>
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics<br>
> --helper-protocol=squid-2.5-ntlmssp --domain=<a href="http://HTMEDIA.NET" target="_blank">HTMEDIA.NET</a><br>
<br>
</span>Okay you have configured NTLM...<br>
<span class=""><br>
> auth_param ntlm program /usr/bin/ntlm_auth<br>
> --helper-protocol=squid-2.5-ntlmssp --domain=<a href="http://HTMEDIA.NET" target="_blank">HTMEDIA.NET</a><br>
<br>
</span>... but twice. With different settings. Only these last ones will have<br>
any effect.<br>
<span class=""><br>
<br>
> auth_param ntlm children 600<br>
> auth_param ntlm keep_alive off<br>
<br>
> auth_param negotiate children 150<br>
> auth_param negotiate keep_alive off<br>
> visible_hostname <a href="http://GGNPROXY01.HTMEDIA.NET" target="_blank">GGNPROXY01.HTMEDIA.NET</a><br>
> external_acl_type wbinfo_group_helper ttl=0 children=40 %LOGIN<br>
> /usr/lib64/squid/<a href="http://wbinfo_group.pl" target="_blank">wbinfo_group.pl</a> -d<br>
> auth_param negotiate keep_alive off<br>
<br>
</span>You have several useless configuration lines for Negotiate auth which is<br>
not being used in any way. Remove those.<br>
<div><div class="h5"><br>
<br>
> acl Safe_ports port 8080 #https<br>
> acl SSL_ports port 443<br>
> acl Safe_ports port 80 # http<br>
> acl Safe_ports port 21 # ftp<br>
> acl Safe_ports port 443 # https<br>
> acl Safe_ports port 70 # gopher<br>
> acl Safe_ports port 210 # wais<br>
> acl Safe_ports port 1025-65535 # unregistered ports<br>
> acl Safe_ports port 280 # http-mgmt<br>
> acl Safe_ports port 488 # gss-http<br>
> acl Safe_ports port 591 # filemaker<br>
> acl Safe_ports port 777 # multiling http<br>
> acl CONNECT method CONNECT<br>
> acl auth proxy_auth REQUIRED<br>
> acl google dstdomain -i "/etc/squid/<a href="http://google_site.com" target="_blank">google_site.com</a>"<br>
> http_access allow google<br>
> acl sq1 external wbinfo_group_helper "/etc/squid/HT/sq1"<br>
> acl sq2 external wbinfo_group_helper "/etc/squid/HT/sq2"<br>
> acl sq3 external wbinfo_group_helper "/etc/squid/HT/sq3"<br>
> acl sq4 external wbinfo_group_helper "/etc/squid/HT/sq4"<br>
> acl sq5 external wbinfo_group_helper "/etc/squid/HT/sq5"<br>
> acl pro1 external wbinfo_group_helper "/etc/squid/HT/pro1"<br>
> acl pro2 external wbinfo_group_helper "/etc/squid/HT/pro2"<br>
> acl pro3 external wbinfo_group_helper "/etc/squid/HT/pro3"<br>
> acl pro4 external wbinfo_group_helper "/etc/squid/HT/pro4"<br>
> acl pro5 external wbinfo_group_helper "/etc/squid/HT/pro5"<br>
> acl pro6 external wbinfo_group_helper "/etc/squid/HT/pro6"<br>
> acl webvip external wbinfo_group_helper "/etc/squid/HT/webvip"<br>
> acl allgroup external wbinfo_group_helper "/etc/squid/HT/allgreop"<br>
> acl restricted external wbinfo_group_helper "/etc/squid/HT/restricted"<br>
> acl ad_auth proxy_auth REQUIRE<br>
<br>
</div></div>You already have an ACL named "auth" which performs authentication.<br>
The above line is not useful. Remove it and replace all uses of<br>
"ad_auth" ACL with "auth" ACL.<br>
<span class=""><br>
> acl allowwebsites dstdomain -i "/blacklists/allowedwebsite/domains"<br>
> acl allowwebsites_url url_regex -i "/blacklists/allowedwebsite/url"<br>
> http_access allow allowwebsites<br>
> http_access allow allowwebsites_url<br>
> acl shopping dstdomain -i "/etc/squid/shopping.txt"<br>
> acl social_networking dstdomain -i "/blacklists/social/social.networking"<br>
> acl youtube dstdomain -i .<a href="http://youtube.com" target="_blank">youtube.com</a><br>
> http_access allow Safe_ports pro1 pro2 pro3 pro4 pro5 pro6 webvip<br>
<br>
</span>Incorrect use of "Safe_ports" security check. Correct usage is to deny<br>
access to all *unsafe* ports. They are unsafe because HTTP can be<br>
smuggled within the ports native protocol to attack your proxy.<br>
<br>
Once the correct security protections for Safe_port and CONNECT tunnels<br>
have been moved up the top remove the "Safe_ports" check from this line.<br>
<br>
This line is also very odd in another way. ACL tests in a single line<br>
are AND'ed together - so this means the request must be from a user who is:<br>
authenticated AND a member of group pro1 AND pro2 AND pro3 AND pro4<br>
AND pro5 AND pro6 AND webvip<br>
<br>
This hints at what your main helper problem is. The above line requires<br>
7 group helper lookups *per request*. The winbind helper has a maximum<br>
of 200 simultaneous connections. This line alone will limit your proxy<br>
just under 30 new visitors per second (that becomes 60 lookups/sec<br>
before queue overload).<br>
The helper result caching will help a lot, but you also have a LOT of<br>
other group checks being made and 800 users.<br>
<span class=""><br>
<br>
> http_access allow youtube pro5<br>
> http_access allow youtube pro6<br>
> http_access allow youtube webvip<br>
> http_access deny youtube<br>
> http_access allow shopping pro5<br>
> http_access allow shopping pro6<br>
> http_access allow shopping webvip<br>
> http_access deny shopping<br>
<br>
</span>Optimization hint:<br>
"youtube" and "shopping" have the same allow/deny criteria. It would be<br>
worth combining them into one ACL.<br>
<span class=""><br>
> http_access allow social_networking pro2<br>
> http_access allow social_networking pro4<br>
> http_access allow social_networking pro6<br>
> http_access allow social_networking webvip<br>
> http_access deny social_networking<br>
> acl porn_site1 dstdomain "/etc/squid/blacklists/porn/domains.txt"<br>
> acl porn_site2 dstdom_regex -i "/etc/squid/blacklists/porn/expressions"<br>
> acl porn_site3 dstdom_regex -i "/etc/squid/blacklists/porn/urls.txt"<br>
> acl audio_video1 dstdomain "/etc/squid/blacklists/audio-video/urls.txt"<br>
> ###################### THERE ARE TOO MANY acls and http_access , so not<br>
> bothering with vast linux<br>
<br>
</span>I will bet a lot of those ACLs are also calling the group helper too yes?<br>
<span class=""><br>
> http_access allow liquorinfo webvip<br>
> http_access deny liquorinfo<br>
> http_access allow ad_auth<br>
> http_access allow auth<br>
<br>
</span>Once you have removed ad_auth ACL, this becomes:<br>
http_access allow auth<br>
http_access allow auth<br>
<br>
I hope you can see how redundant that is.<br>
<br>
Also, its very likely that the "allow auth" is a useless operation after<br>
a great many group checks have also performed authentication. That "TOO<br>
MANY acls and https_access" list you omitted will be needed to determine<br>
that.<br>
<span class=""><br>
<br>
> http_access allow sq1 sq2<br>
> acl NTLMUsers proxy_auth REQUIRED<br>
<br>
</span>You already have an ACL named "auth" which performs authentication.<br>
The above line is not being used in any way. Remove it.<br>
<span class=""><br>
> http_access deny !Safe_ports<br>
> http_access deny CONNECT !SSL_ports<br>
<br>
</span>These are basic security protection against Denial of Service and other<br>
types of protocol smuggling attacks. They only work when they are used<br>
*above* your custom "allow" rules.<br>
<br>
Move these two lines above your "http_access allow google" line.<br>
<span class=""><br>
<br>
<br>
> http_port 8080<br>
> hierarchy_stoplist cgi-bin ?<br>
<br>
</span>The above line is not useful these days. Remove it.<br>
<span class=""><br>
> cache_effective_user squid<br>
> cache_dir aufs /var/spool/squid 20384 32 512<br>
> cache_mem 50 MB<br>
> cache_replacement_policy heap LFUDA<br>
> cache_swap_low 85<br>
> cache_swap_high 95<br>
> maximum_object_size 5 MB<br>
> maximum_object_size_in_memory 50 KB<br>
> ipcache_size 5240<br>
> ipcache_low 90<br>
> ipcache_high 95<br>
> cache_mgr amit</span><br>
> acl SSL_ports port 443<br>
<br>
The above is a duplicate config line. Remove it.<br>
<span class=""><br>
> http_access allow CONNECT SSL_ports<br>
> coredump_dir /var/spool/squid<br>
> refresh_pattern ^ftp: 1440 20% 10080<br>
> refresh_pattern ^gopher: 1440 0% 1440<br>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
> refresh_pattern . 0 20% 4320<br>
> url_rewrite_program /usr/local/bin/squidGuard -c<br>
> /usr/local/squidGuard/squidGuard.conf<br>
><br>
<br>
<br>
</span>Now, as to solving your problem:<br>
<br>
1) Clean up your config. Reduce the amount of redundant or unused<br>
things. I've mentioned a few above.<br>
<br>
2) Run "squid -k parse" and fix any other problems it highlights.<br>
<br>
3) optimize your ACls and http_access rules. I've mentioned a few, such<br>
as moving the main security checks to the top so DoS traffic does not<br>
put load on the helpers and other ACLs.<br>
<br>
I believe though that you will probably find Squid works much better<br>
having the following access controls pattern:<br>
<span class="">"<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
</span> # if they are not authenticated, they will not be in a group<br>
http_access deny !auth<br>
<br>
# assuming that webvip are the group with full access?<br>
http_access allow webvip<br>
<br>
# your long list of per-site group check ACLs go here<br>
...<br>
<br>
# this is where defining the LAN ranges correctly comes in.<br>
# note that users have authenticated simply to get near here<br>
http_access allow localnet<br>
http_access deny all<br>
"<br>
<br>
<br>
4) consider an upgrade to Squid 3.4+. The "notes" ACL type offers much<br>
more efficient ACL testing with a custom group lookup helper. The all-of<br>
and any-of ACL types can also much reduce your http_access lines.<br>
<br>
HTH<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br><br><br></div><div class="gmail_extra">Thank you Amos, I will check and will update the list.<br></div><div class="gmail_extra"><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Thanks & Regards<br><br><span>B Jagannath</span><br><div>Keen & Able Computers Pvt. Ltd.<br></div><div></div><div><br></div></div></div></div></div></div></div>
</div></div></div></div></div>