I have squid configured and working fine with ntlm authentication, however about once a week access to the throughput will slow and I can be presented with access denied messages. Restarting squid instantly fixes the problem. My configuration is relatively simple as bellow. I don't have a large user base.
There's only 60 users and the problem is instantly gone upon restarting squid which suggests to me that it's not simply be a problem of load as the log would suggest. I wondered if it was a single computer or application causing the issue but I'm not sure how to find out. I have squid configured and working fine with ntlm authenticationhowever about once a week access to the throughput will slow and I can be presented with access denied messages. Restarting squid instantly fixes the problem. My configuration is relatively simple as bellow.
I don't have a large user base. There's only 60 users and the problem is instantly gone upon restarting squid which suggests to me that it's not simply be a problem of load as the log would suggest. I wondered if it was a single computer or application causing the issue but I'm not sure how to find out. acl denieddomains dstdomain 'C: squid etc denieddomains.acl' acl alloweddomains dstdomain 'C: squid etc alloweddomains.acl' acl allowedaddresses dst 'C: squid etc allowedaddresses.acl' acl manager proto cacheobject alwaysdirect allow nocache httpaccess allow manager monitor httpaccess deny localhost httpaccess deny blocked httpaccess allow unauthenticatednet httpaccess allow alloweddomains httpaccess allow allowedaddresses NP: 'allowedaddresses' requires DNS lookup. So slows every request down to find the requested domains DNS entries.
httpaccess deny inetrestrictgroup denieddomains Swap those ACLs order to: denieddomains inetrestrictgroup That will reduce the helper lookup load on the!denieddomains cases a bit. httpaccess allow inetrestrictgroup httpaccess allow inetallowgroup httpaccess deny all cachemem 500 MB maximumobjectsizeinmemory 1 MB cachedir ufs c:/squid/var/cache 7000 16 512 accesslog C: squid var logs access.log squid.
This means that a TCP RST was received and the connection is now closed. This occurs when a. How can I solve the TCP connection error reset by peer problem? 487 Views How can I. Reset by peer Website is not accessible via Squid.
My cache log would seem to suggest that it's related to the ntlm helper processes. Eg /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Your DC has disappeared, or some client is sending in a login domain which is not yours. Nothing the helpers can do about either case but reject. It does so, after the horribly long lag it took to discover that problem. I think this is the output of checking 'deny inetrestrictgroup denieddomains'. 2011/11/14 11:31:57 storeUfsCreate: Failed to create c:/squid/var/cache/01/C2/00058467 ((13) Permission denied) /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Login checks repeat all over again. And fail again.
I think this is the output of checking 'allow inetrestrictgroup'. /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Login checks repeat all over again. And fail yet again. I think this is the output of checking 'allow inetrestrictgroup'.
2011/11/14 12:15:40 clientTryParseRequest: FD 361 (192.168.0.252:2504) Invalid Request 2011/11/14 12:26:41 sslWriteClient: FD 1062: write failure: (10054) WSAECONNRESET, Connection reset by peer. And the client disconnects.
'sslWriteClient' seems significant. Particularly since your config has no httpsport. What Squid version are you using?
And the cache authentication statistics seem to sugget the same Well the helpers report indicates it is taking up to 25 seconds to do.1. login request for some clients.
What this looks like to me is either your DC disappearing for a short while and Squid falling under the resulting failures. Or some client flooding Squid with the invalid domain name 'asd' with the same effect.
On Mon, 14 Nov 2011 14:50:02 +0000, John Sayce wrote: I have squid configured and working fine with ntlm authenticationhowever about once a week access to the throughput will slow and I can be presented with access denied messages. Restarting squid instantly fixes the problem. My configuration is relatively simple as bellow.
I don't have a large user base. There's only 60 users and the problem is instantly gone upon restarting squid which suggests to me that it's not simply be a problem of load as the log would suggest. I wondered if it was a single computer or application causing the issue but I'm not sure how to find out. acl denieddomains dstdomain 'C: squid etc denieddomains.acl' acl alloweddomains dstdomain 'C: squid etc alloweddomains.acl' acl allowedaddresses dst 'C: squid etc allowedaddresses.acl' acl manager proto cacheobject alwaysdirect allow nocache httpaccess allow manager monitor httpaccess deny localhost httpaccess deny blocked httpaccess allow unauthenticatednet httpaccess allow alloweddomains httpaccess allow allowedaddresses NP: 'allowedaddresses' requires DNS lookup. So slows every request down to find the requested domains DNS entries. Allowed addresses is actually a list of ip addresses and ranges that are allowed.
I presume you mean alloweddomains which is a list of domains that are permited? In the majority of cases I can change this to use ip addresses if it will improve performance. The problem would come that in some cases I've allowed the top level domain because I want to allow all the sub domains also, mainly for applications that can't authenticate to get their updates. Is there a way round this or is the best practice to put the effort in and find the addresses for all the required subdomains as well? httpaccess deny inetrestrictgroup denieddomains Swap those ACLs order to: denieddomains inetrestrictgroup That will reduce the helper lookup load on the!denieddomains cases a bit. I thought it might be worth mentioning that denieddomains is actually empty.
I put it in for future use. But I have swapped these anyhow. httpaccess allow inetrestrictgroup httpaccess allow inetallowgroup httpaccess deny all cachemem 500 MB maximumobjectsizeinmemory 1 MB cachedir ufs c:/squid/var/cache 7000 16 512 accesslog C: squid var logs access.log squid. My cache log would seem to suggest that it's related to the ntlm helper processes. Eg /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Your DC has disappeared, or some client is sending in a login domain which is not yours. Nothing the helpers can do about either case but reject.
It does soafter the horribly long lag it took to discover that problem. It might be possible that there is a network issue but my dc is monitored by nagios and hasn't registered any issues with the checks I have in place.
I'm going to see if I can audit the failed requests, which I would have hoped happened by default in active directory but apparently not. I think this is the output of checking 'deny inetrestrictgroup denieddomains'. 2011/11/14 11:31:57 storeUfsCreate: Failed to create c:/squid/var/cache/01/C2/00058467 ((13) Permission denied) /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Login checks repeat all over again. And fail again. I think this is the output of checking 'allow inetrestrictgroup'. /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Login checks repeat all over again. And fail yet again.
I think this is the output of checking 'allow inetrestrictgroup'. 2011/11/14 12:15:40 clientTryParseRequest: FD 361 (192.168.0.252:2504) Invalid Request 2011/11/14 12:26:41 sslWriteClient: FD 1062: write failure: (10054) WSAECONNRESET, Connection reset by peer. And the client disconnects. 'sslWriteClient' seems significant.
Particularly since your config has no httpsport. What Squid version are you using?
And the cache authentication statistics seem to sugget the same Well the helpers report indicates it is taking up to 25 seconds to do.1. login request for some clients. What this looks like to me is either your DC disappearing for a short while and Squid falling under the resulting failures. Or some client flooding Squid with the invalid domain name 'asd' with the same effect. Amos It's version 2.7.STABLE8 As I say, I've changed to most of your suggestions and I'll see if I can get logging setup for failed login attempts on my dc.
I've still got the domain names explicitly allowed though but I'll change it if there's still a problem. The domain is 'asd' but it feels to me like it's a client flooding squid because I can't imagine that the DC is failing. I'll try and keep looking though. Cheers This email has been scanned by the Symantec Email Security.cloud service. For more information please visit. On Mon, 14 Nov 2011 14:50:02 +0000, John Sayce wrote: I have squid configured and working fine with ntlm authenticationhowever about once a week access to the throughput will slow and I can be presented with access denied messages. Restarting squid instantly fixes the problem.
My configuration is relatively simple as bellow. I don't have a large user base. There's only 60 users and the problem is instantly gone upon restarting squid which suggests to me that it's not simply be a problem of load as the log would suggest. I wondered if it was a single computer or application causing the issue but I'm not sure how to find out. httpaccess allow inetrestrictgroup httpaccess allow inetallowgroup httpaccess deny all cachemem 500 MB maximumobjectsizeinmemory 1 MB cachedir ufs c:/squid/var/cache 7000 16 512 accesslog C: squid var logs access.log squid. My cache log would seem to suggest that it's related to the ntlm helper processes. Eg /mswinchecklmgroup.exe Can't find DC for local domain 'asd' Your DC has disappeared, or some client is sending in a login domain which is not yours.
Nothing the helpers can do about either case but reject. It does soafter the horribly long lag it took to discover that problem. It might be possible that there is a network issue but my dc is monitored by nagios and hasn't registered any issues with the checks I have in place. I'm going to see if I can audit the failed requests, which I would have hoped happened by default in active directory but apparently not.
The problem could be in DNS entries pointing Squid to the DC machine, in the OS somewhere loosing records linking 'asd' to the DC, or in packet problems connecting to the DC. 'Can't find' hints to me that it is one of the earlier two problems, that Squid helper is unable to find a DC machine to try connecting to.Original Message- From: Amos Jeffries mailto: Sent: 18 November 2011 04:53 To: Subject: Re: squid-users NTLM Authentication On 2:23 a.m., John Sayce wrote: On Mon, 14 Nov 2011 14:50:02 +0000, John Sayce wrote: I have squid configured and working fine with ntlm authenticationhowever about once a week access to the throughput will slow and I can be presented with access denied messages. Restarting squid instantly fixes the problem.
My configuration is relatively simple as bellow. I don't have a large user base. There's only 60 users and the problem is instantly gone upon restarting squid which suggests to me that it's not simply be a problem of load as the log would suggest. I wondered if it was a single computer or application causing the issue but I'm not sure how to find out.