I want to know the concerns of load testing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

I want to know the concerns of load testing

kitamura
Hello,

I'm planning a proxy renewal for a company with 45k clients.
I'm looking at the performance of a single Squid to determine the number of Squids.

Environment: Virtual (OpenStack)
OS: CentOS8.1
CPU: 4 cores
MEM: 8GB
DISK: SATA30GB / 100GB
Squid 4.4
 SSL Bump
 Blacklist: 1,700k
 auth: NTLM
 cache: 4GB

In an environment with authentication disabled and SSL decoding enabled
A load test was performed with Jmeter.

Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
(Confirm with top command)

Added multi-core support settings to squid.conf
"workers 4"

A load test with Jmeter was performed again.

Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
(Confirm with top command)

Question
1. 1. How much will CPU Usage increase if NTLM authentication is enabled?
2. 2. Are there any concerns other than CPU Usage in Squid?
3. 3. When I enabled the cache in this test, the CPU Usage decreased, but in general, does the Squid cache increase the CPU Usage?

Thank you,
Kitamura

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

kitamura
Hello Please tell me additionally. 4. I only know Squid up to 3000 users. Is there any case where Squid is used by a company that is used by more than 30,000 users? Please let me know if there is a large company using Squid. 5. What are the important point when using the "wokers" setting for multiple processes?  

Kitamura

2020年10月2日(金) 11:15 m k <[hidden email]>:
Hello,

I'm planning a proxy renewal for a company with 45k clients.
I'm looking at the performance of a single Squid to determine the number of Squids.

Environment: Virtual (OpenStack)
OS: CentOS8.1
CPU: 4 cores
MEM: 8GB
DISK: SATA30GB / 100GB
Squid 4.4
 SSL Bump
 Blacklist: 1,700k
 auth: NTLM
 cache: 4GB

In an environment with authentication disabled and SSL decoding enabled
A load test was performed with Jmeter.

Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
(Confirm with top command)

Added multi-core support settings to squid.conf
"workers 4"

A load test with Jmeter was performed again.

Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
(Confirm with top command)

Question
1. 1. How much will CPU Usage increase if NTLM authentication is enabled?
2. 2. Are there any concerns other than CPU Usage in Squid?
3. 3. When I enabled the cache in this test, the CPU Usage decreased, but in general, does the Squid cache increase the CPU Usage?

Thank you,
Kitamura

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Amos Jeffries
Administrator
In reply to this post by kitamura
On 2/10/20 3:15 pm, m k wrote:

> Hello,
>
> I'm planning a proxy renewal for a company with 45k clients.
> I'm looking at the performance of a single Squid to determine the number
> of Squids.
>
> Environment: Virtual (OpenStack)
> OS: CentOS8.1
> CPU: 4 cores
> MEM: 8GB
> DISK: SATA30GB / 100GB

See our notes on relative disk JBOD / RAID performances.
<https://wiki.squid-cache.org/SquidFaq/RAID>


> Squid 4.4

I know it can be hard to get hold of newer packages on CentOS. Please do
try hard to upgrade to the 4.13 release for production. There have been
more than a few critical security issues fixed this past year.


>  SSL Bump
>  Blacklist: 1,700k
>  auth: NTLM

NTLM is a major performance issue. With every request needing to be sent
twice it will essentially halve the traffic your proxy can serve to clients.

I do know that Squid used to be able to handle way more RPS than Windows
DC would like to handle. So the DC may be a bottleneck there.

Negotiate/Kerberos auth is the solution to all those problems. If you
are really interested in good performance avoid NTLM.


>  cache: 4GB
>
> In an environment with authentication disabled and SSL decoding enabled
> A load test was performed with Jmeter.
>
> Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
> (Confirm with top command)
>

If the proxy is not using 100% of the core(s) it is supposed to be
using. Then you have not reached the capacity limits of the proxy.

What you do about that depends on whether you are trying to find
theoretical limits, or performance for a specific traffic profile.


For a specific traffic profile the measurement is likely hitting disk
I/O or network I/O limits. Double-check which it was - that is what to
change to improve performance.


For theoretical limits the same detail about I/O applies. But also to
max the proxy out fully you may need to tune the test traffic load for
either higher TCP connection concurrency, or to utilize less resource
consuming features. eg requests that will HIT on memory cached (small)
objects and only need simple fast-type ACL checks. Memory-only traffic
is approximately 100x faster than any involving disk I/O.

 To be clear this is to find the theoretical maximum performance. You
cannot tune clients real traffic like this.



> Added multi-core support settings to squid.conf
> "workers 4"
>
> A load test with Jmeter was performed again.
>
> Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
> (Confirm with top command)

See above. That 20% implies the same 80% is spread over 4 cores.


>
> Question
> 1. 1. How much will CPU Usage increase if NTLM authentication is enabled?

NTLM requires 2 HTTP messages to authenticate every new TCP connection.
So there will be one extra HTTP message on every set of pipelined requests.

It depends on how many requests are pipelined on each TCP connection as
to how much impact that auth overhead is.


After disk I/O capacity the CPU cycles are what limit Squid most. The
RPS achievable is capped out when all CPU cores assigned for Squid reach
100%.


> 2. 2. Are there any concerns other than CPU Usage in Squid?

The usual bottlenecks:

 * disk I/O limits
 * Network latency (DNS in particular. In general, TCP to _everywhere_)
 * features used (CPU drains)
 * memory

The order is my own experience of service impact, YMMV


> 3. 3. When I enabled the cache in this test, the CPU Usage decreased,
> but in general, does the Squid cache increase the CPU Usage?


In general cache should have little effect on CPU. Processing HTTP
headers is by far the major use of CPU cycles in Squid. SSL-Bump is
expected to be a close second, especially if decrypting.

In some cases it can. A large number of small cache objects can consume
many cycles CPU searching for an object. Or Range requests on very large
objects can spend a lot of cycles to generate the Range response HIT
payload.



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Amos Jeffries
Administrator
In reply to this post by kitamura
On 2/10/20 6:26 pm, m k wrote:
> Hello Please tell me additionally. 4. I only know Squid up to 3000
> users. Is there any case where Squid is used by a company that is used
> by more than 30,000 users? Please let me know if there is a large
> company using Squid. 5. What are the important point when using the
> "wokers" setting for multiple processes? 


We do not measure HTTP proxies in terms of users because this is a
meaningless measurement.

One single User can flood the network and overload the proxy with traffic.

Or, many thousands could be connected and waiting with barely any
requests going through.

Or anything in between.


The important number is how many users you expect to make requests of
the proxy simultaneously at peak traffic time.

Be aware that what happens when Squid "overloads" its capacity is just
an increase in service latency. Users still receives and processes every
transaction. It can just take a short while longer than normal to
complete each - depending on which resource bottleneck that transaction
interacts with.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Alex Rousskov
In reply to this post by kitamura
On 10/1/20 10:15 PM, m k wrote:

> 1. How much will CPU Usage increase if NTLM authentication is enabled?

Depends on the portion of requests that need to be authenticated,
credentials caching effectiveness, and authenticator response times.
Nothing is easy in performance testing, but it is often easier to
measure performance than to predict it -- good proxy benchmarking tools
support testing proxy authentication.


> 2. Are there any concerns other than CPU Usage in Squid?

On servers dedicated to Squids, CPU usage is not really a concern as
such. It is a convenient but often misleading proxy (i.e. indirect
measure) for real concerns. The real concerns are errors, response times
and, in some environments, bandwidth usage. A good benchmark should
report those measurements.


> 3. When I enabled the cache in this test, the CPU Usage decreased,
> but in general, does the Squid cache increase the CPU Usage?

The answer depends on many factors such as document hit ratio, byte hit
ratio, the portion of the contents that comes from the disk cache
(rather than memory cache), hot subset, and server delays. Bugs
notwithstanding, if caching is worth enabling at all, then a correctly
configured cache decreases CPU usage in most environments (because it
decreases the amount of work that Squid should do for an average
transaction).

Please keep in mind that benchmarking a _caching_ proxy correctly is far
from trivial! Make sure your setup does not measure performance of a
cache with artificially high (or low) hit ratio, performance of a
virtually empty cache, etc.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Alex Rousskov
In reply to this post by kitamura
On 10/2/20 1:26 AM, m k wrote:

> Is there any case where Squid is used by a company that is used
> by more than 30,000 users?

Yes, some Squid (hierarchies) probably serve millions of users. I know
several companies using Squids for serving large user populations, but I
cannot name customer names.


> What are the important point when using the
> "wokers" setting for multiple processes?  

For a few starting points, please see

*
https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F

* the recently added "worker-queues" configuration option:
  https://github.com/squid-cache/squid/pull/369


HTH,

Alex.


> 2020年10月2日(金) 11:15 m k:
>
>     Hello,
>
>     I'm planning a proxy renewal for a company with 45k clients.
>     I'm looking at the performance of a single Squid to determine the
>     number of Squids.
>
>     Environment: Virtual (OpenStack)
>     OS: CentOS8.1
>     CPU: 4 cores
>     MEM: 8GB
>     DISK: SATA30GB / 100GB
>     Squid 4.4
>      SSL Bump
>      Blacklist: 1,700k
>      auth: NTLM
>      cache: 4GB
>
>     In an environment with authentication disabled and SSL decoding enabled
>     A load test was performed with Jmeter.
>
>     Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
>     (Confirm with top command)
>
>     Added multi-core support settings to squid.conf
>     "workers 4"
>
>     A load test with Jmeter was performed again.
>
>     Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
>     (Confirm with top command)
>
>     Question
>     1. 1. How much will CPU Usage increase if NTLM authentication is
>     enabled?
>     2. 2. Are there any concerns other than CPU Usage in Squid?
>     3. 3. When I enabled the cache in this test, the CPU Usage
>     decreased, but in general, does the Squid cache increase the CPU Usage?
>
>     Thank you,
>     Kitamura
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

kitamura
Amos san, Alex san,

Thank you for your reply.

Change squid to compile from source.
Also change the NTLM authentication to KRB.

I understand that error and response speed are more important than CPU.

The CPU is not 100%, but the number of simultaneous connections does not exceed 450. In netstat, FIN_WAIT was over 10000. Is there a way to reduce FiN_WAIT?

Also, can socks proxy be used with squid? If not, what are you using as an alternative?

thank you,
kitamura

2020年10月2日(金) 23:09 Alex Rousskov <[hidden email]>:
On 10/2/20 1:26 AM, m k wrote:



> Is there any case where Squid is used by a company that is used

> by more than 30,000 users?



Yes, some Squid (hierarchies) probably serve millions of users. I know

several companies using Squids for serving large user populations, but I

cannot name customer names.





> What are the important point when using the

> "wokers" setting for multiple processes?  



For a few starting points, please see



*

https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F



* the recently added "worker-queues" configuration option:

  https://github.com/squid-cache/squid/pull/369





HTH,



Alex.





> 2020年10月2日(金) 11:15 m k:

>

>     Hello,

>

>     I'm planning a proxy renewal for a company with 45k clients.

>     I'm looking at the performance of a single Squid to determine the

>     number of Squids.

>

>     Environment: Virtual (OpenStack)

>     OS: CentOS8.1

>     CPU: 4 cores

>     MEM: 8GB

>     DISK: SATA30GB / 100GB

>     Squid 4.4

>      SSL Bump

>      Blacklist: 1,700k

>      auth: NTLM

>      cache: 4GB

>

>     In an environment with authentication disabled and SSL decoding enabled

>     A load test was performed with Jmeter.

>

>     Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)

>     (Confirm with top command)

>

>     Added multi-core support settings to squid.conf

>     "workers 4"

>

>     A load test with Jmeter was performed again.

>

>     Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)

>     (Confirm with top command)

>

>     Question

>     1. 1. How much will CPU Usage increase if NTLM authentication is

>     enabled?

>     2. 2. Are there any concerns other than CPU Usage in Squid?

>     3. 3. When I enabled the cache in this test, the CPU Usage

>     decreased, but in general, does the Squid cache increase the CPU Usage?

>

>     Thank you,

>     Kitamura

>

>

> _______________________________________________

> squid-users mailing list

> [hidden email]

> http://lists.squid-cache.org/listinfo/squid-users

>




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: I want to know the concerns of load testing

Ralf Hildebrandt
* m k <[hidden email]>:

> The CPU is not 100%, but the number of simultaneous connections does not
> exceed 450. In netstat, FIN_WAIT was over 10000. Is there a way to reduce
> FiN_WAIT?

We use these sysctl settings:

--- snip ---
# Tuning

net.ipv4.tcp_fin_timeout=10
# down from 60

net.ipv4.tcp_tw_reuse=1

net.ipv4.ip_local_port_range=10000 65001
# http://www.fromdual.com/huge-amount-of-time-wait-connections

net.ipv4.tcp_mtu_probing=1
net.ipv4.tcp_base_mss=1024
# https://blog.cloudflare.com/path-mtu-discovery-in-practice/
--- snip ---


> Also, can socks proxy be used with squid?

No.

> If not, what are you using as an alternative?

I had a look at dante https://www.inet.no/dante/

FYI: for a company with about 15.000 machines we're using a cluster of
4 proxies.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Alex Rousskov
In reply to this post by kitamura
On 10/9/20 8:59 AM, m k wrote:

> The CPU is not 100%, but the number of simultaneous connections does not
> exceed 450.

The average number of active concurrent connections is offered request
rate multiplied by mean response time. Thus, if you want to see more
active concurrent connections, you have to increase request rate and/or
delay packets/origin responses, but be aware that this metric is a
derivative, and playing with derivatives often leads to misleading results.

I hope others will answer your other questions about socks and FIN_WAIT.
You might also be able to find answers to those questions in the mailing
list archive.


HTH,

Alex.


> 2020年10月2日(金) 23:09 Alex Rousskov:
>
>     On 10/2/20 1:26 AM, m k wrote:
>
>
>
>     > Is there any case where Squid is used by a company that is used
>
>     > by more than 30,000 users?
>
>
>
>     Yes, some Squid (hierarchies) probably serve millions of users. I know
>
>     several companies using Squids for serving large user populations, but I
>
>     cannot name customer names.
>
>
>
>
>
>     > What are the important point when using the
>
>     > "wokers" setting for multiple processes?  
>
>
>
>     For a few starting points, please see
>
>
>
>     *
>
>     https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F
>
>
>
>     * the recently added "worker-queues" configuration option:
>
>       https://github.com/squid-cache/squid/pull/369
>
>
>
>
>
>     HTH,
>
>
>
>     Alex.
>
>
>
>
>
>     > 2020年10月2日(金) 11:15 m k:
>
>     >
>
>     >     Hello,
>
>     >
>
>     >     I'm planning a proxy renewal for a company with 45k clients.
>
>     >     I'm looking at the performance of a single Squid to determine the
>
>     >     number of Squids.
>
>     >
>
>     >     Environment: Virtual (OpenStack)
>
>     >     OS: CentOS8.1
>
>     >     CPU: 4 cores
>
>     >     MEM: 8GB
>
>     >     DISK: SATA30GB / 100GB
>
>     >     Squid 4.4
>
>     >      SSL Bump
>
>     >      Blacklist: 1,700k
>
>     >      auth: NTLM
>
>     >      cache: 4GB
>
>     >
>
>     >     In an environment with authentication disabled and SSL
>     decoding enabled
>
>     >     A load test was performed with Jmeter.
>
>     >
>
>     >     Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
>
>     >     (Confirm with top command)
>
>     >
>
>     >     Added multi-core support settings to squid.conf
>
>     >     "workers 4"
>
>     >
>
>     >     A load test with Jmeter was performed again.
>
>     >
>
>     >     Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
>
>     >     (Confirm with top command)
>
>     >
>
>     >     Question
>
>     >     1. 1. How much will CPU Usage increase if NTLM authentication is
>
>     >     enabled?
>
>     >     2. 2. Are there any concerns other than CPU Usage in Squid?
>
>     >     3. 3. When I enabled the cache in this test, the CPU Usage
>
>     >     decreased, but in general, does the Squid cache increase the
>     CPU Usage?
>
>     >
>
>     >     Thank you,
>
>     >     Kitamura
>
>     >
>
>     >
>
>     > _______________________________________________
>
>     > squid-users mailing list
>
>     > [hidden email]
>     <mailto:[hidden email]>
>
>     > http://lists.squid-cache.org/listinfo/squid-users
>
>     >
>
>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

Eliezer Croitoru-3
In reply to this post by Amos Jeffries
Hey Amos,

Just wondering if someone is willing to host RPM's?
These can be built using:
https://github.com/elico/squid-docker-build-nodes

I can build the RPMs however I cannot host them.

Eliezer

* In any case 4 GB of RAM for 45k Clients on a single proxy would probably result high SWAPPING at peek hours..

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Friday, October 2, 2020 9:08 AM
To: [hidden email]
Subject: Re: [squid-users] I want to know the concerns of load testing

On 2/10/20 3:15 pm, m k wrote:

> Hello,
>
> I'm planning a proxy renewal for a company with 45k clients.
> I'm looking at the performance of a single Squid to determine the number
> of Squids.
>
> Environment: Virtual (OpenStack)
> OS: CentOS8.1
> CPU: 4 cores
> MEM: 8GB
> DISK: SATA30GB / 100GB

See our notes on relative disk JBOD / RAID performances.
<https://wiki.squid-cache.org/SquidFaq/RAID>


> Squid 4.4

I know it can be hard to get hold of newer packages on CentOS. Please do
try hard to upgrade to the 4.13 release for production. There have been
more than a few critical security issues fixed this past year.


>  SSL Bump
>  Blacklist: 1,700k
>  auth: NTLM

NTLM is a major performance issue. With every request needing to be sent
twice it will essentially halve the traffic your proxy can serve to clients.

I do know that Squid used to be able to handle way more RPS than Windows
DC would like to handle. So the DC may be a bottleneck there.

Negotiate/Kerberos auth is the solution to all those problems. If you
are really interested in good performance avoid NTLM.


>  cache: 4GB
>
> In an environment with authentication disabled and SSL decoding enabled
> A load test was performed with Jmeter.
>
> Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
> (Confirm with top command)
>

If the proxy is not using 100% of the core(s) it is supposed to be
using. Then you have not reached the capacity limits of the proxy.

What you do about that depends on whether you are trying to find
theoretical limits, or performance for a specific traffic profile.


For a specific traffic profile the measurement is likely hitting disk
I/O or network I/O limits. Double-check which it was - that is what to
change to improve performance.


For theoretical limits the same detail about I/O applies. But also to
max the proxy out fully you may need to tune the test traffic load for
either higher TCP connection concurrency, or to utilize less resource
consuming features. eg requests that will HIT on memory cached (small)
objects and only need simple fast-type ACL checks. Memory-only traffic
is approximately 100x faster than any involving disk I/O.

 To be clear this is to find the theoretical maximum performance. You
cannot tune clients real traffic like this.



> Added multi-core support settings to squid.conf
> "workers 4"
>
> A load test with Jmeter was performed again.
>
> Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
> (Confirm with top command)

See above. That 20% implies the same 80% is spread over 4 cores.


>
> Question
> 1. 1. How much will CPU Usage increase if NTLM authentication is enabled?

NTLM requires 2 HTTP messages to authenticate every new TCP connection.
So there will be one extra HTTP message on every set of pipelined requests.

It depends on how many requests are pipelined on each TCP connection as
to how much impact that auth overhead is.


After disk I/O capacity the CPU cycles are what limit Squid most. The
RPS achievable is capped out when all CPU cores assigned for Squid reach
100%.


> 2. 2. Are there any concerns other than CPU Usage in Squid?

The usual bottlenecks:

 * disk I/O limits
 * Network latency (DNS in particular. In general, TCP to _everywhere_)
 * features used (CPU drains)
 * memory

The order is my own experience of service impact, YMMV


> 3. 3. When I enabled the cache in this test, the CPU Usage decreased,
> but in general, does the Squid cache increase the CPU Usage?


In general cache should have little effect on CPU. Processing HTTP
headers is by far the major use of CPU cycles in Squid. SSL-Bump is
expected to be a close second, especially if decrypting.

In some cases it can. A large number of small cache objects can consume
many cycles CPU searching for an object. Or Range requests on very large
objects can spend a lot of cycles to generate the Range response HIT
payload.



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

kitamura
hello,

Switching from NTLM certification to Kerberos certification.
Sure enough, I'm in trouble.

Kerberos authentication doesn't work.
Please let me know if there is a mistake in the settings.


SPN creation
WINTEST(Active Directory)
ktpass.exe /princ HTTP/[hidden email] /mapuser [hidden email] /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab


PTR record setting
# nslookup 10.217.192.22
22.192.217.10.in-addr.arpa      name = c0528004l.wintest.example.co.jp.


# klist
Ticket cache: KCM:1001
Default principal: [hidden email]

Valid starting       Expires              Service principal
10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/[hidden email]
        renew until 10/13/2020 02:04:04
10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/[hidden email]
        renew until 10/13/2020 02:04:04
10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/[hidden email]
        renew until 10/13/2020 02:04:04


config setting
/etc/squid/squid.conf
# Kerberos Auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/[hidden email]
auth_param negotiate children 20
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth

--->I get a windows security pop-up in IE.


error message
/var/log/squid/cache.log
2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Service key not available; }}


Create SPN from server
c0528004l(CentOS8.1)
# net ads keytab create -U [hidden email]
Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter [hidden email]'s password:
ads_keytab_open: Invalid kerberos method set (0)

---> An error occurs and keytab cannot be created.


Please let me know if you have any other information you need.

Hi Eliezer,

docker is already installed.
We are considering a configuration of at least 6 servers.
Whether it will be 8 or 10 has not been verified.


thank you,
kitamura



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: I want to know the concerns of load testing

kitamura
hi all,

Good news.
I was able to solve the problem yesterday.
I created a key tab for haproxy and added the following options to negotiate_kerberos_auth in squid.conf.

-s GSS_C_NO_NAME

(squid.conf)
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/krb5.keytab -s HTTP/[hidden email] -s GSS_C_NO_NAME

Kerberos authentication is also possible on the load balancer backend server.

Thank you,
kitamura

2020年10月12日(月) 20:31 m k <[hidden email]>:
hello,

Switching from NTLM certification to Kerberos certification.
Sure enough, I'm in trouble.

Kerberos authentication doesn't work.
Please let me know if there is a mistake in the settings.


SPN creation
WINTEST(Active Directory)
ktpass.exe /princ HTTP/[hidden email] /mapuser [hidden email] /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab


PTR record setting
# nslookup 10.217.192.22
22.192.217.10.in-addr.arpa      name = c0528004l.wintest.example.co.jp.


# klist
Ticket cache: KCM:1001
Default principal: [hidden email]

Valid starting       Expires              Service principal
10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/[hidden email]
        renew until 10/13/2020 02:04:04
10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/[hidden email]
        renew until 10/13/2020 02:04:04
10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/[hidden email]
        renew until 10/13/2020 02:04:04


config setting
/etc/squid/squid.conf
# Kerberos Auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/[hidden email]
auth_param negotiate children 20
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth

--->I get a windows security pop-up in IE.


error message
/var/log/squid/cache.log
2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Service key not available; }}


Create SPN from server
c0528004l(CentOS8.1)
# net ads keytab create -U [hidden email]
Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter [hidden email]'s password:
ads_keytab_open: Invalid kerberos method set (0)

---> An error occurs and keytab cannot be created.


Please let me know if you have any other information you need.

Hi Eliezer,

docker is already installed.
We are considering a configuration of at least 6 servers.
Whether it will be 8 or 10 has not been verified.


thank you,
kitamura



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users