On Wed, 20 Apr 2005, Thien Vu wrote:
A portion are external_acl_type for ldap lookups for user groups.
Ok.
The ldap queries themselves are fairly quick, around 200 milliseconds for the initial lookup but then it should hit the authentication cache from then on.
Correct. Provided all the active entries fit in the cache.
The rest are url_regex which involve urls or ports (for the CONNECT) later defined in the http_access rules. So essentially we have a population of users and we want to restrict what they can access depending on what group they're in. Group membership is determined by ldap lookups.
Why url_regex?
For CONNECT there is exacly zero reasons to use url_regex.
In terms of CPU usage url_regex is several orders of magnitude heavier than the other acl types.
Never any problems with CPU usage, these are like dual p3 1.3 Ghz, so it's more than enough muscle.
Squid only runs on one CPU. What means that 50% CPU usage reported on your system is 100% CPU usage by Squid..
What authentication method scheme is used?
For the basic authentication, squid_ldap_auth. For external_acl_type, squid_ldap_group. We were having issues with too few helpers for the external_acl_type but that problem has been fixed by increasing children= to a reasonable number.
Ok. Basic is fine. Only wanted to verify that you were not using NTLM as this adds considerable latency due to the large number of roundtrips to the proxy required to finish the authentication.
Regards Henrik