> > Adrian Chadd wrote: >> On Sat, Nov 03, 2007, Elvar wrote: >> >>> Hello all, >>> >>> I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is Please upgrade to STABLE17. There is a security problem in earlier releases. >>> configured to authenticate users to the Active Directory database via >>> the NTLM plugin. The problem I'm having is that approximately every >>> other day or sometimes sooner or sometime longer, users start getting a >>> popup box asking for auth credentials. Normally this is not the case as >>> it's handled automatically in the background. I'm forced to restart the >>> squid proxy server to resolve this. One thing I notice is that every >>> time it happens the number of squid child processes is greater than the >>> number listed in squid.conf. Currently I'm set at 'auth_param ntlm >>> children 150'. I'm not sure what is causing this login popup box but >>> it's really upsetting my users and I need to figure out a solution. Has >>> anyone else experienced this? Any have any suggestions? >>> >> >> A couple of possibilities: >> >> * Samba can't keep up with your request rate >> * Squid is blocking and missing out on processing the NTLM >> authentication >> results >> >> I suggest a few things: >> >> * How busy is the cache? Do you have graphs? If not, compile with snmp >> support and start graphing whatever you can >> >> * Look at your load and see if you're better off with aufs than ufs; >> aufs won't block (as much!) and should free Squid up to handle the >> helper replies quicker; >> >> * I've seen this happen at "back from lunch" enterprise situations where >> a few hundred people come back and fire up their browsers at the same >> time, overloading the NTLM authentication mechanism. Henrik's >> authentication IP caching patch (ntlm_ip_cache? I forget now) seems >> to do the trick but it comes with certain use restrictions. >> This depends on how busy your caches are; see point 1. >> >> >> >> Adrian >> >> >> > Well, I've set up squid-rrd now on two different boxes at two different > locations to monitor performance and it doesn't appear that Squid is > being overworked. Is there a way to possibly increase the TTL for > queries against Active Directory? I've been battling with this problem > for months now and cannot for the life of me figure out what's causing > the problem. > > > > Thanks, > Elvar > > >>> squid.conf listed below >>> >>> Kind regards >>> Elvar >>> >>> ################ Begin squid.conf ################ >>> >>> acl localnet src 192.168.0.0/16 >>> http_port 192.168.0.1:3128 >>> hierarchy_stoplist cgi-bin ? >>> acl QUERY urlpath_regex cgi-bin \? >>> cache deny QUERY >>> acl all src 0.0.0.0/0.0.0.0 >>> cache_dir ufs /usr/local/squid/cache 500 16 256 >>> access_log /usr/local/squid/logs/access.log squid >>> #cache_log none >>> cache_log /usr/local/squid/logs/cache.log >>> cache_store_log none >>> emulate_httpd_log off >>> log_mime_hdrs on >>> check_hostnames off >>> auth_param ntlm keep_alive on >>> >>> auth_param ntlm program /usr/local/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 >>> auth_param ntlm children 150 >>> #auth_param ntlm max_challenge_reuses 0 >>> #auth_param ntlm max_challenge_lifetime 5 minutes >>> >>> #auth_param basic program /usr/local/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> #auth_param basic children 5 >>> #auth_param basic realm WT >>> #auth_param basic credentialsttl 2 hours >>> >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern . 0 20% 4320 >>> >>> ### Needed for Windows Update to work ### >>> acl windowsupdate dstdomain .windowsupdate.microsoft.com >>> acl windowsupdate dstdomain .update.microsoft.com >>> acl windowsupdate dstdomain .download.windowsupdate.com >>> acl windowsupdate dstdomain .c.microsoft.com >>> acl windowsupdate dstdomain .download.microsoft.com >>> http_access allow windowsupdate localnet >>> ########################################## >>> >>> >>> acl manager proto cache_object >>> acl localhost src 127.0.0.1/255.255.255.255 >>> acl to_localhost dst 127.0.0.0/8 >>> acl SSL_ports port 443 563 >>> acl Safe_ports port 80 # http >>> acl CONNECT method CONNECT >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 563 # https, snews >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl AuthorizedUsers proxy_auth REQUIRED >>> >>> http_access allow manager localhost >>> http_access deny manager >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access allow all AuthorizedUsers Ah, here is part of the problem. Using this 'all' hack to silence the login box it needs 'all' to be at the very end of the line. Otherwse all has no meaning there. http_access allow AuthorizedUsers all >>> http_access deny all >>> >>> http_reply_access allow all >>> icp_access allow all >>> >>> cache_effective_user squid >>> >>> visible_hostname example.com >>> >>> logfile_rotate 20 >>> >>> coredump_dir /usr/local/squid/cache >>> >>> ######################### End squid.conf ######################## >>> >> >> > >