Vipin Kaimal wrote:
> Hi All,
>
> Recently we installed a new squid proxy (squid-2.5.STABLE12-18.9 on
> SuSe 10) with LDAP authentication. Earleier we had a squid proxy with
> ldap authentication. That time, both LDAP and squid were running on
> the same server and everything was fine. Now we installed a new linux
> server and moved the squid service to it. LDAP is running on a
> different server. Many users are now complaining that they are not
> able to browse. Ever since I migrated all users to this new proxy
> server, we are getting the following errors in /var/log/message file.
> The same messages are displayed in /var/log/squid/cache.log
>
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
> 'restrictedaccess' queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
> 'restrictedaccess' queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
> 'restrictedaccess' queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
> queue overload. Request rejected.
> Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
> queue overload. Request rejected.
>
> In cache.log these lines are also displayed.
> WARNING: All deniedaccess processes are busy.
> 2009/02/17 11:34:40| WARNING: up to 5 pending requests queued
> 2009/02/17 11:34:40| Consider increasing the number of deniedaccess
> processes to at least 10 in your config file.
> 2009/02/17 11:34:44| aclMatchExternal: 'fullaccess' queue overload.
> Request rejected.
> 2009/02/17 11:34:44| aclMatchExternal: 'restrictedaccess' queue
> overload. Request rejected.
> 2009/02/17 11:34:44| aclMatchExternal: 'deniedaccess' queue overload.
> Request rejected.
>
> Here is my external acl definition.
>
> #eDir full Internet access
> external_acl_type fullaccess %LOGIN /usr/sbin/squid_ldap_group -d -b
> "o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w "" -s sub
> -h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))" -F
> "(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxyfullaccess,ou=groups,ou=services,o=org))"
> -Z
>
> #eDir deny Internet access
> external_acl_type deniedaccess %LOGIN /usr/sbin/squid_ldap_group -d -b
> "o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w "pass" -s
> sub -h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))" -F
> "(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxydenyaccess,ou=groups,ou=services,o=org))"
> -Z
>
> #eDir limited Internet access
> external_acl_type restrictedaccess %LOGIN /usr/sbin/squid_ldap_group
> -d -b "o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w
> "pass" -s sub -h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))"
> -F "(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxylimitaccess,ou=groups,ou=services,o=org))"
> -Z
>
>
> This was the same configuration we had in our earlier setup and it was
> working fine. Please suggest me what should be the root cause for this
> and help me in resolving this.
>
> Thanks in Advance,
>
> Vinukaimal
The new remote LDAP server has additional network lag time. It is now
far too slow for the auth load you are placing on it. Squid is
overloading the helpers waiting queues.
Your options are to:
- improve the network link between the machines
- increase the helper queue size, (add children=N just before the
%LOGIN). N being >=10. (maybe concurrency=10 will work too, I'm not
sure, if it does thats better).
- increase the result caching time (add ttl=X and negative_ttl=X
before the %LOGIN). X being seconds for delay between re-checks.
- all of the above.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5Received on Tue Feb 17 2009 - 13:01:54 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 17 2009 - 12:00:02 MST