On Sat, Nov 03, 2007, Elvar wrote: > Hello all, > > I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is > configured to authenticate users to the Active Directory database via > the NTLM plugin. The problem I'm having is that approximately every > other day or sometimes sooner or sometime longer, users start getting a > popup box asking for auth credentials. Normally this is not the case as > it's handled automatically in the background. I'm forced to restart the > squid proxy server to resolve this. One thing I notice is that every > time it happens the number of squid child processes is greater than the > number listed in squid.conf. Currently I'm set at 'auth_param ntlm > children 150'. I'm not sure what is causing this login popup box but > it's really upsetting my users and I need to figure out a solution. Has > anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at "back from lunch" enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian > > squid.conf listed below > > Kind regards > Elvar > > ################ Begin squid.conf ################ > > acl localnet src 192.168.0.0/16 > http_port 192.168.0.1:3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl all src 0.0.0.0/0.0.0.0 > cache_dir ufs /usr/local/squid/cache 500 16 256 > access_log /usr/local/squid/logs/access.log squid > #cache_log none > cache_log /usr/local/squid/logs/cache.log > cache_store_log none > emulate_httpd_log off > log_mime_hdrs on > check_hostnames off > auth_param ntlm keep_alive on > > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 > auth_param ntlm children 150 > #auth_param ntlm max_challenge_reuses 0 > #auth_param ntlm max_challenge_lifetime 5 minutes > > #auth_param basic program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > #auth_param basic children 5 > #auth_param basic realm WT > #auth_param basic credentialsttl 2 hours > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > ### Needed for Windows Update to work ### > acl windowsupdate dstdomain .windowsupdate.microsoft.com > acl windowsupdate dstdomain .update.microsoft.com > acl windowsupdate dstdomain .download.windowsupdate.com > acl windowsupdate dstdomain .c.microsoft.com > acl windowsupdate dstdomain .download.microsoft.com > http_access allow windowsupdate localnet > ########################################## > > > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl CONNECT method CONNECT > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl AuthorizedUsers proxy_auth REQUIRED > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow all AuthorizedUsers > http_access deny all > > http_reply_access allow all > icp_access allow all > > cache_effective_user squid > > visible_hostname example.com > > logfile_rotate 20 > > coredump_dir /usr/local/squid/cache > > ######################### End squid.conf ######################## -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
