Search squid archive

Re: auth_param basic children

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andrew Struiksma wrote:
I have setup a reverse proxy which prompts for a password if the client is not on our LAN. I am not sure as to the proper setting of auth_param basic children. I set it to 2 since we will have around 75 users hitting the site from our LAN but probably fewer than 10 simultanious users from the outside. I'm just not sure if I'm correctly understanding how often the helper is actually used by Squid.

Is auth_param basic children only important when a user is actually prompted for a password? Or, is the authentication used everytime a client requests pages from Squid? Does it matter if the client in on our LAN or not?



When Squid needs to authenticate a user their details are passed to the auth helper. It then waits (doing other stuff meanwhile) for the helper to send back its result.

There are two things which affect performance.

 A) children - number of helpers squid can send data to.

B) helper concurrency - number of requests squid is allowed to queue up for a single helper.

Squid can only handle up to A x B requests which need authenticating at any given time. More requests than that will get an error message.

It's a trade off for how fast your helper can work (ie how long things might wait in the queue) against how many helpers you can run in parallel before server CPU cut is noticeable.

NP: Some helpers though have a max concurrency of 1.

Amos

Thanks!

Andrew

---squid.conf---------------
http_port my_ip:80 defaultsite=webserver.company.com
https_port my_ip:443 cert=/etc/apache2/ssl/webserver.company.com.cert key=/etc/apache2/ssl/webserver.company.com.key defaultsite=webserver.company.com

#redirects all http traffic to https
acl port80 myport 80
deny_info https://webserver.company.com port80
http_access deny port80

#reverse proxy
cache_peer webserver.company.com parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
acl our_sites dstdomain webserver.company.com
acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=company,dc=com" -D "cn=squid_user,cn=Users,dc=company,dc=com" -w "password" -f sAMAccountName=%s -h 192.168.1.2
auth_param basic children 2
auth_param basic realm Our web site
auth_param basic credentialsttl 2 hours

#these networks can access webserver without authenticating
acl trusted_nets src 192.168.1.0/24

acl ldap_users proxy_auth REQUIRED

http_access allow trusted_nets our_sites
http_access allow ldap_users our_sites

cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

never_direct allow our_sites
----------------------



--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux