jason lawrence wrote:
Hi all,
We are looking to replace our proxy infrastructure
with squid, but I am concerned about the performance of squid using the
ntlm_auth samba handler (specifically using negotiate). We are almost
ready to do some Loadrunner stress tests, but I wanted to see if anyone
had some base statistics out there?
The ntlm helpers have issues with concurrency, so the number needed
scales up badly with higher loads. Though with auth_param credentialsttl
settings it can be raised somewhat.
I saw that squid uses authenticate_ip_shortcircuit_ttl in 2.7. Has anyone used the IP caching feature, and are there plans to
port it to the 3.x branch? (we are really after the ICAP functionallity)
All the missing functionality that is in 2.7 is planned for porting.
When is a matter of sponsorship and developer time since we are mostly
volunteers working on it.
I am currently investigating a way to push our AD user/group
listings into a flat file tree once a night, so squidGuard can do AD
group lookups locally. That should save authorization cycles, but the
samba authentication is what really worries me... I really wish
kerberos was prevelent enought that we could just force kerberos/Basic,
but that's the way it goes... I don't even know how we could load test
kerberos authentication...
I see for your config below you have negotiate, ntlm, basic. That will
enable kerberos to be used where possible.
FWIW: there is one business recently posted looking for ways to use the
browser ACL and redirect people at an 'you need to upgrade' page when
they had issues with older browsers. :)
You might find that a solution to push the migration faster.
Current deployment:
------------------------------------------------------
squid: 3.0.11
Please use at least 3.0.STABLE13
http://www.squid-cache.org/Advisories/SQUID-2009_1.txt
There is a squid_kerb_auth buffer overrun issue solved in the kerb_auth
helper from stable14 you may want as well.
squidGuard: 1.4
samba: 3.2.7
server: RHAS 5.2 64bit (Sunfire 4100 8gigs of ram)
Current configs (squid is not yet optimized)
--------------------------------------------------------------------
http_port xx.xx.x.xxx:8080
tcp_outgoing_address xx.xx.x.xxx
#####################################################################
# AUTHENTICATION
#####################################################################
auth_param negotiate program /dev/pkgs/linux/intel/squid/3.0.11/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
auth_param basic program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 6 hours
auth_param basic casesensitive off
#####################################################################
# ACL'S
#####################################################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl java browser Java/1.3 Java/1.4
acl ntlm_users proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access allow java
http_access allow ntlm_users
http_access deny all
#####################################################################
# DNS Settings
#####################################################################
dns_defnames on
dns_nameservers xx.xx.xx.xxx xx.xx.xx.xxx
#####################################################################
#
#####################################################################
hierarchy_stoplist cgi-bin ?
access_log /etrade/pkgs/linux/intel/squid/3.0.11/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /etrade/pkgs/linux/intel/squid/3.0.11/var/cache
#####################################################################
# Squid Guard
#####################################################################
redirect_program /dev/pkgs/linux/intel/squidGuard/1.4/bin/squidGuard
redirect_children 10
#####################################################################
# Kaspersky AV
#####################################################################
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
acl acl_kav_GET method GET
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET
SAMBA
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# global parameters
[global]
# ADS membership settings
workgroup = DEV
netbios name = PROXYDEV1
realm = DEV.COM
server string = proxydev1.dev.com
security = ADS
winbind trusted domains only = yes
#winbind cache time = 600 # tested samba auth caching, doesn't work for ntlm_auth
#winbind offline logon = true #
allow trusted domains = no
use kerberos keytab = true
# IdMap settings
winbind use default domain = yes
idmap domains = DEV
idmap config DEV:backend = nss
idmap config DEV:readonly = yes
idmap config DEV:default = no
# security settings
encrypt passwords = yes
lm announce = no
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no
client schannel = yes
server schannel = yes
server signing = Auto
encrypt passwords = yes
lanman auth = no
ntlm auth = no
min protocol = NT1
max protocol = NT1
show add printer wizard = no
load printers = no
Thanks all!
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
