Hi Amos, finally i've configured Kerberos auth and ldap group check. In a few weeks I will report if the bottlenecks are eliminated. This is now my config: auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type checkgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=local" -D ldap -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=UserGroups,dc=DOMAIN,dc=local))" -h DOMAINCONTROLLER . (snip) . acl Terminalserver src 10.4.1.51-10.4.1.75 acl AUTH proxy_auth REQUIRED acl InternetGroup external checkgroup internet . (snip) . http_access deny !AUTH http_access allow InternetGroup Terminalserver http_access deny Terminalserver . (snip) . Thanks for help. ------------------------------------------------------------------------ Amos Jeffries wrote: > The big issues you have are: > * using NTLM. This seriously caps the proxy performance and capacity. Each new TCP connection (~30 per second from your graphs) requires at least two full HTTP > reqesut/reply round trips just to authenticate before the actual HTTP response can begin to be identified and fetched. > > * using group to base access permissions. Like NTLM this caps the capacity of your Squid. > > * using a URL helper. Whether that is a big drag or not depends on what you are using it for and whether Squid can do that faster by itself. > > These are your big performance bottlenecks. Eliminating any of them will speed up your proxy. BUT whether it is worth doing is up to you.
