Quantcast

WARNING: All 20/20 negotiateauthenticator processes are busy.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
This post was updated on .
Hi.
Im having this problem.

may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: All 30/30 negotiateauthenticator processes are busy.
may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: 30 pending requests queued
may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: Consider increasing the number of negotiateauthenticator processes in your config file.


This is my config file

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s HTTP/squid.xxxxx.lan@XXXXXX.LAN
auth_param negotiate children 30
auth_param negotiate keep_alive on


Can somebody explain this for me?
Of course, i can "increasing the number of negotiateauthenticator", but i want to understand (maybe its a better way)

I see some examples like this
        auth_param digest children 20 startup=0 idle=1

What about that? startup? idle? that was a better way? or this not having nothing to do?

Thanks to all!
(i dont speak english)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

dijxie
W dniu 11.05.2017 o 17:27, erdosain9 pisze:

> Hi.
> Im having this problem.
>
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: All 30/30
> negotiateauthenticator processes are busy.
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: 30 pending requests
> queued
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: Consider increasing
> the number of negotiateauthenticator processes in your config file.
>
>
> This is my config file
>
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/[hidden email]
> auth_param negotiate children 30
> auth_param negotiate keep_alive on
>
>
> Can somebody explain this for me?
> Of course, i can "increasing the number of negotiateauthenticator", but i
> want to understand (maybe its a better way)
>
> I see some examples like this
> auth_param digest children 20 startup=0 idle=1
>
> What about that? startup? idle? that was a better way? or this not having
> nothing to do?
>
> Thanks to all!
> (i dont speak english)
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> Also, you may try set keep_alive to off - this option sometimes tends to hang negotiate helper.

Hi.
Here is documentation: http://www.squid-cache.org/Doc/config/auth_param/
Startup is the number auth helpers launched when squid is starting. Idle
is the nuber of processes that squid will keep alive even if there is no
cache users. You may increase children calculating available RAM, but
leave startup and idle values low. Squid will launch helpers when
needed, and next will gracefully close them if not used until "idle"
value reached; that 'recycle' process is good for helpers.  Just make
sure that your available RAM is enough for all negotiate helpers squid
may launch (children number), that considers system daemons, memory
cache etc.

Kerberos and negotiate authenticators are not capable of doing
concurrent authentications, as well as ntlm authenticator (at least in
squid-2.5-ntlmssp mode); one worker can serve one request at the time.
So, that warning is saing that your cache server has more users - or
rather users are making more concurrent connections at the same time
than auth helpers can handle. Or, there is something wrong with one or
more helpers; use cachemgr.cgi or squid-client to verify.
http://wiki.squid-cache.org/Features/CacheManager
http://wiki.squid-cache.org/SquidClientTool - squidclient mgr:menu will
give you available comands, grep output by "auth", AFAIR it's
mgr:negotiate_authenticator
If the number of connections awaiting authentication is greater than
children number, the queue begins. The queue is something unwanted;
makes users wait for page to load. Also, at the end, squid will restart
if queue situation trurns to be chronic.
Also, you may try set keep_alive to off - this option sometimes tends to
hang negotiate helper.

Could you satisfy my curiousity by telling me how many users are there
in your environment?



--
Greetings, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
Hi.
Thanks!

We have 100 users........... What would you think is a good "auth_param negotiate children"??

I cant run squidclient

[root@squid ~]# squidclient mgr:negotiate_authenticator
ERROR: Cannot connect to [::1]:3128
[root@squid ~]# squidclient -vv mgr:negotiate_authenticator
verbosity level set to 2
Request:
GET cache_object://localhost/negotiate_authenticator HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
ERROR: Cannot connect to [::1]:3128


CONFIG
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager


So??
Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

dijxie
W dniu 12.05.2017 o 17:30, erdosain9 pisze:
> Hi.
> Thanks!
>
> We have 100 users........... What would you think is a good "auth_param
> negotiate children"??

The one that does not gives you a warning. One of my squids has 12 users
who can kill 18 helpers and  generate 1.2GB log within one day; it all
depends on many, many things.

> I cant run squidclient
>
> [root@squid ~]# squidclient mgr:negotiate_authenticator
> ERROR: Cannot connect to [::1]:3128
> [root@squid ~]# squidclient -vv mgr:negotiate_authenticator
> verbosity level set to 2
> Request:
> GET cache_object://localhost/negotiate_authenticator HTTP/1.0
> Host: localhost
> User-Agent: squidclient/3.5.20
> Accept: */*
> Connection: close
>
>
> .
> Transport detected: IPv4-mapped  and IPv6
> Resolving localhost ...
> Connecting... localhost ([::1]:3128)
> ERROR: Cannot connect to [::1]:3128
>
>
> CONFIG
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
>
> So??
> Thanks!

My guess is that your config file was only a sample, so:
- Is your squid listening on 3128 TCP? If not, pass -p <port> to squidclient.
- Is there a possibility that cachemgr access is disallowed by some other acl, placed above "http_access allow localhost manager" in config file?


--
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
Hi.
this is my config file


####GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
acl red6 src 192.168.6.0/24

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s HTTP/squid.xxxxxxx.lan@xxxxxxx.LAN
auth_param negotiate children 35 startup=0 idle=1
auth_param negotiate keep_alive off


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-full@xxxxxxx.LAN
external_acl_type i-limitado %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limitado@xxxxxxx.LAN
external_acl_type i-sinlimite %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-sinlimite@xxxxxxx.LAN


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado
acl i-sinlimite external i-sinlimite

####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads


####Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl Safe_ports port 2199 # radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion
http_access allow i-limitado #!dominios_denegados
http_access allow i-full #!dominios_denegados

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all


# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete
###

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2
delay_parameters 1 1000000/1000000 50000/512000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2
delay_parameters 2 1000000/1000000 50000/512000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 1000000/1000000
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 3
delay_parameters 4 3000000/3000000 1000000/1000000 256000/512000
delay_access 4 allow i-limitado !youtube !facebook
delay_access 4 deny all

#Ancho de banda FULL
delay_class 5 3
delay_parameters 5 1500000/1500000 750000/750000 256000/512000
delay_access 5 allow i-full !youtube !facebook
delay_access 5 deny all

dns_nameservers 192.168.1.200 8.8.8.8
#dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xxxxxxx.lan

# try connecting to first 25 ips of a domain name
forward_max_tries 25

# fix some ipv6 errors (recommended to comment out)
dns_v4_first on

# c-icap integration
# -------------------------------------
# Adaptation parameters
# -------------------------------------
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
adaptation_access service_avi_resp allow all
# end integration
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

dijxie
On 2017-05-15 20:53, erdosain9 wrote:
> http_port 192.168.1.215:3128

Hi,

My guess is since you've declared it this way (I never did), you should
try consequently:
squidclient -h 192.168.1.215 -p 3128 mgr:negotiateauthenticator
-h stands for host; running squidclient without this parameter makes it
use loopback (127.0.0.1) I think. Since you've declared "http_port
192.168.1.215:3128", you've bound squid to this IP address only and my
guess is that you're not allowed to use loopback
http://www.squid-cache.org/Doc/config/http_port/

But there is a directive then in your conf:
http_access allow localhost manager
http_access deny manager
you may not be able to connect to manager using 192.168.1.215 either,
since it is not localhost - but I'm not sure.  If so, my way is:

acl MGR-ALLOWED src "/etc/squid/mgr-allowed.hosts"
http_access allow MGR-ALLOWED manager
and put 192.168.1.215 or/and any other host allowed to use cachemgr to
/etc/squid/mgr-allowed.hosts file

Good luck this time.

--
Greets, Dijx
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

Eliezer Croitoru
In reply to this post by erdosain9
To allow access to the squid manager info pages just add:
http_port 127.0.0.1:3128

And then you can use squidclient to get some info and statistics on your squid using the manager interface.
I can recommend you to use the next instead of squidclient:
curl http://127.0.0.1:3128/ squid-internal-mgr/menu
curl http://127.0.0.1:3128/ squid-internal-mgr/info

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Monday, May 15, 2017 9:53 PM
To: [hidden email]
Subject: Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

Hi.
this is my config file


####GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
acl red6 src 192.168.6.0/24

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/[hidden email]
auth_param negotiate children 35 startup=0 idle=1
auth_param negotiate keep_alive off


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g [hidden email]
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
external_acl_type i-sinlimite %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado
acl i-sinlimite external i-sinlimite

####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads


####Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl Safe_ports port 2199 # radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion
http_access allow i-limitado #!dominios_denegados
http_access allow i-full #!dominios_denegados

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem

acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all


# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete
###

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2
delay_parameters 1 1000000/1000000 50000/512000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2
delay_parameters 2 1000000/1000000 50000/512000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 1000000/1000000
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 3
delay_parameters 4 3000000/3000000 1000000/1000000 256000/512000
delay_access 4 allow i-limitado !youtube !facebook
delay_access 4 deny all

#Ancho de banda FULL
delay_class 5 3
delay_parameters 5 1500000/1500000 750000/750000 256000/512000
delay_access 5 allow i-full !youtube !facebook
delay_access 5 deny all

dns_nameservers 192.168.1.200 8.8.8.8
#dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xxxxxxx.lan

# try connecting to first 25 ips of a domain name
forward_max_tries 25

# fix some ipv6 errors (recommended to comment out)
dns_v4_first on

# c-icap integration
# -------------------------------------
# Adaptation parameters
# -------------------------------------
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache
icap://127.0.0.1:1344/squidclamav bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://127.0.0.1:1344/squidclamav bypass=off
adaptation_access service_avi_resp allow all
# end integration



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362p4682401.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

Amos Jeffries
Administrator
In reply to this post by dijxie
On 16/05/17 12:54, Dijxie wrote:

> On 2017-05-15 20:53, erdosain9 wrote:
>> http_port 192.168.1.215:3128
>
> Hi,
>
> My guess is since you've declared it this way (I never did), you
> should try consequently:
> squidclient -h 192.168.1.215 -p 3128 mgr:negotiateauthenticator
> -h stands for host; running squidclient without this parameter makes
> it use loopback (127.0.0.1) I think. Since you've declared "http_port
> 192.168.1.215:3128", you've bound squid to this IP address only and my
> guess is that you're not allowed to use loopback
> http://www.squid-cache.org/Doc/config/http_port/
>
> But there is a directive then in your conf:
> http_access allow localhost manager
> http_access deny manager
> you may not be able to connect to manager using 192.168.1.215 either,
> since it is not localhost - but I'm not sure.


For the record the above is completely correct on all points.

Thanks Dijxie :-)

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
Thanks, now i have "access denied".......why???

[root@squid ~]# squidclient -vv -h 192.168.1.215 mgr:info
verbosity level set to 2
Request:
GET cache_object://192.168.1.215/info HTTP/1.0
Host: 192.168.1.215
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving 192.168.1.215 ...
Connecting... 192.168.1.215 (192.168.1.215:3128)
Connected to: 192.168.1.215 (192.168.1.215:3128)
Sending HTTP request ...
done.
HTTP/1.1 403 Forbidden
Server: squid/3.5.20
Mime-Version: 1.0
Date: Wed, 17 May 2017 19:14:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3567
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from squid.xxxxxxx.lan
X-Cache-Lookup: NONE from squid.xxxxxxx.lan:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2016 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!-- /* * Copyright (C) 1996-2016 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. */ /* Stylesheet for Squid Error pages Adapted from design by Free CSS Templates http://www.freecsstemplates.org Released for free under a Creative Commons Attribution 2.5 License */ /* Page basics */ * { font-family: verdana, sans-serif; } html body { margin: 0; padding: 0; background: #efefef; font-size: 12px; color: #1e1e1e; } /* Page displayed title area */ #titles { margin-left: 15px; padding: 10px; padding-left: 100px; background: url('/squid-internal-static/icons/SN.png') no-repeat left; } /* initial title */ #titles h1 { color: #000000; } #titles h2 { color: #000000; } /* special event: FTP success page titles */ #titles ftpsuccess { background-color:#00ff00; width:100%; } /* Page displayed body content area */ #content { padding: 10px; background: #ffffff; } /* General text */ p { } /* error brief description */ #error p { } /* some data which may have caused the problem */ #data { } /* the error message received from the system or other software */ #sysmsg { } pre { font-family:sans-serif; } /* special event: FTP / Gopher directory listing */ #dirmsg { font-family: courier; color: black; font-size: 10pt; } #dirlisting { margin-left: 2%; margin-right: 2%; } #dirlisting tr.entry td.icon,td.filename,td.size,td.date { border-bottom: groove; } #dirlisting td.size { width: 50px; text-align: right; padding-right: 5px; } /* horizontal lines */ hr { margin: 0; } /* page displayed footer area */ #footer { font-size: 9px; padding-left: 10px; } body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; } --></style></head><body id=ERR_ACCESS_DENIED>
<div id="titles">

ERROR

The requested URL could not be retrieved

</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: cache_object://192.168.1.215/info</p>

<blockquote id="error">
<p>Access Denied.</p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is webmaster.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Wed, 17 May 2017 19:14:41 GMT by squid.xxxxxxx.lan (squid/3.5.20)</p>

</div>
</body></html>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
And if i do this

http_port 127.0.0.1:3128

The i get this

[root@squid ~]# squidclient -vv mgr:menu
verbosity level set to 2
Request:
GET cache_object://localhost/menu HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
ERROR: Cannot connect to [::1]:3128
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

erdosain9
Sorry now squidclient it's working! was the ipv6.
Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: WARNING: All 20/20 negotiateauthenticator processes are busy.

Antony Stone
In reply to this post by erdosain9
On Wednesday 17 May 2017 at 20:41:06, erdosain9 wrote:

> And if i do this
>
> http_port 127.0.0.1:3128
>
> The i get this
>
> [root@squid ~]# squidclient -vv mgr:menu
> verbosity level set to 2
> Request:
> GET cache_object://localhost/menu HTTP/1.0
> Host: localhost
> User-Agent: squidclient/3.5.20
> Accept: */*
> Connection: close
> .
> Transport detected: IPv4-mapped  and IPv6
> Resolving localhost ...
> Connecting... localhost ([::1]:3128)
> ERROR: Cannot connect to [::1]:3128

Okay, so what happens if you do a consistent test instead:

        http_port 127.0.0.1:3128
and
        GET cache_object://127.0.0.1/menu HTTP/1.0


The fact that your machine is resolving "localhost" to the IPv6 address in
favour of the IPv4 address you specified in the Squid configuration means that
you're not testing what you configured - not helpful...


Antony.

--
I conclude that there are two ways of constructing a software design: One way
is to make it so simple that there are _obviously_ no deficiencies, and the
other way is to make it so complicated that there are no _obvious_
deficiencies.

 - C A R Hoare

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...