On 9/04/2014 5:16 p.m., Waldemar Brodkorb wrote: > Hi, > Amos Jeffries wrote, > >>> What do you think? What might be a solution to this problem? I can't >>> restart squid when changing the ACL rules, because then all users in >>> the network would be disconnected. >> >> You could set the request_timeout to be short. This would make the >> CONNECT requests terminate after a few minutes. > > Will try that. > >> You could also use SSL-bump feature in Squid. This has a double benefit >> of allowing the control software acting on the HTTPS requests and >> preventing SPDY etc. being used by the browser. > > This is not wanted by my boss. Probably because of ethical reasons. > If a user uses https, he normally believes his traffic is secure and > we want that this is the case. > Fair enough. > Going back to the initial problem, slow NTLM authentications with > newer browsers. Would it be worth to switch completely to Negotiate? Yes. NTLM was deprecated officially by MS about 8 years ago and Negotiate/Kerberos is supported by a wider range of modern software. > Or is it possible to cache the NTLM authentication results, so that > Squid does not need to fork a ntlm auth helper on every request? NTLM (and Negotiate) credentials are pinned to the connection state for as long as the connection they are valid for exists. As the credentials token is connection-specific there is no additional caching and re-use possible beyond that. The helpers should not be forking on every request. They should be forked on startup and later only if there are insufficient already running. Once forked each helper should service traffic indefinitely. You can minimize NTLM costs: * by enabling persistent connections on both client and server sides of Squid and as widely on other software as possible, * by encouraging HTTP/1.1 with chunked encoding be used as much as possible instead of HTTP/1.0 connection:close by other software in the network, * by adding Negotiate/Kerberos alongside NTLM. There will still be significant churn for NTLM, but every bit helps. Amos