Re: Proxy server: Squid + dansguardian (slow when use NTLM)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

El 23/03/2011 15:04, Stainforth, Matthew (SD/DS) escribió:
We are using the same versions as above. I use /usr/bin/ntlm_auth that is provided by the samba3x-winbind package rather than /usr/lib64/squid/ntlm_auth provided by the squid package. 

Matt
I've seeing my access.log and I've noticed that for each http petition, squid register 2 tcp_denied:
1300954766.574 4 10.31.32.85 TCP_DENIED/407 1765 GET http://www.test.com/testSimple? - NONE/- text/html 1300954766.588 6 10.31.32.85 TCP_DENIED/407 1939 GET http://www.test.com/testSimple? - NONE/- text/html 1300954768.996 2408 10.31.32.85 TCP_MISS/200 6410 GET http://www.test.com/testSimple? lusername DIRECT/91.216.63.240 application/x-javascript
But I've read that this is a normal behavior due to NTLM design... so I discard this as cause of my problem.
Now, with an standard installation of RHEL5.6 + squid + samba3x and only setup the necessary for enable NTLM auth (I'm not using dansguardian yet), a client needs: 

http://www.google.com: 5-7 seconds
http://www.marca.com: 25-30 seconds.

(and with many TCP_HIT/200, so squid is using cached content)

If I use basic auth, the load is almost instantaneous


I only have added this to my squid.conf:
------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 50
auth_param ntlm keep_alive on

acl mylan src 192.168.1.0/24

acl ntlm proxy_auth REQUIRED
http_access allow mylan ntlm

And before, I used this command for setup samba and winbind:
--------------------------------------------------------------------------------------

authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=dc.domain \
--krb5realm=domain --smbservers=dc.domain --smbworkgroup=domain \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=domain \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \ --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \ --winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall 


Any idea?

Regards,
F.J

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux