All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

erdosain9
Hi.
Im having this warning in cache.log


2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy.
2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued
2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of
ssl_crtd processes in your config file.

2018/02/14 16:07:06 kid1| WARNING: All 35/35 negotiateauthenticator
processes are busy.
2018/02/14 16:07:06 kid1| WARNING: 35 pending requests queued
2018/02/14 16:07:06 kid1| WARNING: Consider increasing the number of
negotiateauthenticator processes in your config file.

I know how to increase the negotiate authenticator... but, how can i
increase the ssl_crtd proceses???

Thanks to all.

This is my config

acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"


###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/[hidden email]
auth_param negotiate children 35 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param negotiate keep_alive on


external_acl_type i-restringidos %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g [hidden email]
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]

acl i-restringidos external i-restringidos
acl i-full external i-full
acl i-limitado external i-limitado

acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads

acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

acl restringidos dstdomain "/etc/squid/listas/restringidos.lst"
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

acl SSL_ports port 443
acl SSL_ports port 4443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 25          #########
acl Safe_ports port 587         #########
acl Safe_ports port 143         #########
acl Safe_ports port 993         #########
acl Safe_ports port 995         #########
acl Safe_ports port 465         #########
acl Safe_ports port 443         # https
acl Safe_ports port 4443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl Safe_ports port 2199        # radio
acl CONNECT method CONNECT


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

http_access allow sin_autenticacion
http_access deny i-restringidos restringidos
http_access allow i-limitado !dominios_denegados
http_access allow i-full !dominios_denegados
http_access allow localhost

http_access deny all

http_port 127.0.0.1:3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem

acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all


cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 500 MB

cache_swap_low 70
cache_swap_high 85

coredump_dir /var/spool/squid


refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
override-lastmod ignore-reload ignore-no-cache ignore-no-store
reload-into-ims ignore-must-revalidate

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

delay_pools 5

#Ancho de Youtube
delay_class 1 2
delay_parameters 1 1000000/1000000 20000/150000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2
delay_parameters 2 1000000/1000000 50000/256000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 1000000/1000000
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 2
delay_parameters 4 4000000/4000000 200000/400000
delay_access 4 allow i-limitado !youtube !facebook
delay_access 4 deny all

#Ancho de banda FULL
delay_class 5 2
delay_parameters 5 4000000/4000000 500000/1000000
delay_access 5 allow i-full !youtube !facebook
delay_access 5 deny all

dns_nameservers 192.168.1.107 192.168.1.222

forward_max_tries 25

dns_v4_first on





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

Yuri Voinov
#  TAG: sslcrtd_children
#    The maximum number of processes spawn to service ssl server.
#    The maximum this may be safely set to is 32.
#   
#    The startup= and idle= options allow some measure of skew in your
#    tuning.
#   
#        startup=N
#   
#    Sets the minimum number of processes to spawn when Squid
#    starts or reconfigures. When set to zero the first request will
#    cause spawning of the first child process to handle it.
#   
#    Starting too few children temporary slows Squid under load while it
#    tries to spawn enough additional processes to cope with traffic.
#   
#        idle=N
#   
#    Sets a minimum of how many processes Squid is to try and keep available
#    at all times. When traffic begins to rise above what the existing
#    processes can handle this many more will be spawned up to the maximum
#    configured. A minimum setting of 1 is required.
#
#        queue-size=N
#
#    Sets the maximum number of queued requests.
#    If the queued requests exceed queue size for more than 3 minutes
#    squid aborts its operation.
#    The default value is set to 2*numberofchildren.
#   
#    You must have at least one ssl_crtd process.
#Default:
# sslcrtd_children 32 startup=5 idle=1

Feel free to read squid.conf.documented.


16.02.2018 19:03, erdosain9 пишет:

> Hi.
> Im having this warning in cache.log
>
>
> 2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy.
> 2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued
> 2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of
> ssl_crtd processes in your config file.
>
> 2018/02/14 16:07:06 kid1| WARNING: All 35/35 negotiateauthenticator
> processes are busy.
> 2018/02/14 16:07:06 kid1| WARNING: 35 pending requests queued
> 2018/02/14 16:07:06 kid1| WARNING: Consider increasing the number of
> negotiateauthenticator processes in your config file.
>
> I know how to increase the negotiate authenticator... but, how can i
> increase the ssl_crtd proceses???
>
> Thanks to all.
>
> This is my config
>
> acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
>
>
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/[hidden email]
> auth_param negotiate children 35 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param negotiate keep_alive on
>
>
> external_acl_type i-restringidos %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
> external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
> -g [hidden email]
> external_acl_type i-limitado %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
>
> acl i-restringidos external i-restringidos
> acl i-full external i-full
> acl i-limitado external i-limitado
>
> acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
> http_access deny ads
>
> acl youtube url_regex -i \.flv$
> acl youtube url_regex -i \.mp4$
> acl youtube url_regex -i watch?
> acl youtube url_regex -i youtube
> acl facebook url_regex -i facebook
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?
>
> acl restringidos dstdomain "/etc/squid/listas/restringidos.lst"
> acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"
>
> acl SSL_ports port 443
> acl SSL_ports port 4443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 20000
> acl SSL_ports port 10000
> acl SSL_ports port 2083
>
> acl Safe_ports port 631         # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 25          #########
> acl Safe_ports port 587         #########
> acl Safe_ports port 143         #########
> acl Safe_ports port 993         #########
> acl Safe_ports port 995         #########
> acl Safe_ports port 465         #########
> acl Safe_ports port 443         # https
> acl Safe_ports port 4443        # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 8443        # httpsalt
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8080        # edesur y otros
> acl Safe_ports port 2199        # radio
> acl CONNECT method CONNECT
>
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
>
> http_access allow sin_autenticacion
> http_access deny i-restringidos restringidos
> http_access allow i-limitado !dominios_denegados
> http_access allow i-full !dominios_denegados
> http_access allow localhost
>
> http_access deny all
>
> http_port 127.0.0.1:3128
> http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
> key=/etc/squid/ssl_cert/myca.pem
>
> acl step1 at_step SslBump1
>
> acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"
>
> ssl_bump peek step1
> ssl_bump splice excludeSSL
> ssl_bump bump all
>
>
> cache_dir diskd /var/spool/squid 15000 16 256
> cache_mem 500 MB
>
> cache_swap_low 70
> cache_swap_high 85
>
> coredump_dir /var/spool/squid
>
>
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private
> refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
> override-lastmod ignore-reload ignore-no-cache ignore-no-store
> reload-into-ims ignore-must-revalidate
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> delay_pools 5
>
> #Ancho de Youtube
> delay_class 1 2
> delay_parameters 1 1000000/1000000 20000/150000
> delay_access 1 allow i-limitado youtube !facebook
> delay_access 1 deny all
>
> #Ancho de Facebook
> delay_class 2 2
> delay_parameters 2 1000000/1000000 50000/256000
> delay_access 2 allow i-limitado facebook !youtube
> delay_access 2 deny all
>
> #Ancho de banda YOUTUBE FULL
> delay_class 3 1
> delay_parameters 3 1000000/1000000
> delay_access 3 allow i-full youtube !facebook
> delay_access 3 deny all
>
> #Ancho de banda LIMITADO
> delay_class 4 2
> delay_parameters 4 4000000/4000000 200000/400000
> delay_access 4 allow i-limitado !youtube !facebook
> delay_access 4 deny all
>
> #Ancho de banda FULL
> delay_class 5 2
> delay_parameters 5 4000000/4000000 500000/1000000
> delay_access 5 allow i-full !youtube !facebook
> delay_access 5 deny all
>
> dns_nameservers 192.168.1.107 192.168.1.222
>
> forward_max_tries 25
>
> dns_v4_first on
>
>
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment