-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/12/2014 12:50 p.m., Ahmed Allzaeem wrote: > Thank you Amos , don’t know wt to say , u helped me a lot ! > > Now it get user/pwd > > But still a new issue appeared !! > > Now the browsing is so slow !! > > I check the logs of squid I found a lot of TCP_denied and some of > TCP_MISS > Thats DENIED/407. In particular sets of 5 requests. Four auth challenges (407) followed by one final/successful request (non-407). NTLM handshake normally works in threes. Two 407's then one non-407. NOTE: The non-407 can appear much later in the log than the two 407's. A very good example of this is the 5 "POST http://ocsp.digicert.com/"; log lines. You can see the set of 407s occuring, then ~2 seconds later the non-407 saying it took 1974 ms (~2 sec) to complete. I suspect what you are seeing in that log is the mess that happens when browsers (un)Happy Eyeballs algorithm collides with NTLM. The browser opening connections in pairs to see which will be usable first needs to authenticate both, but final request only sent on first connection to complete the auth. *If* I am right about this then the slowdown should only happen on startup when a lot of stuff has to be done by the browser and the experience will get faster over time. The browser can technically save the second-opened connections for later use, some do. Also, ensure that persistent connections are enabled to both server and clients. This will help minimize the number of handshakes required. That is about all you can do to optimize NTLM unfortunately, it is a truely nasty protocol. Also, if you are seeing some clients looping with many 407 trying the same credentials over and over try the setting: auth_param ntlm keepalive off However, dont confuse this "keepalive" option with persistent connections. It is a hack specially crafted to work with NTLM and Negotiate auth to fix old IE brokenness and has proven useful with some Java apps and recent Firefox versions. Its not harmful to any client, but can limit the proxy total traffic capacity somewhat so best to avoid if you dont need it. HTH Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUlDYLAAoJELJo5wb/XPRj558H/12+3ARMFEHINczwgrPjzFBx 3la3Vn+mBo8NOaxCgEcJP73F1ZHH58oTlBcUygj1h9ecj7/fikil6IXhDvV87W4s esS+IIFbOekKKFXxfGiSa0hg4G3NEEepmPfAx8OT8UWLC68fkESOCeOP99LYY3q5 7xZ7bef1ieudgDAUI7zuTCb8tEsV47SRFRQESOJefcXz3YkXhtL5ouNaK56sfp03 iaP33AzkjC9HBVxcfp4h4rInMO3VVbSecKtrHdStmnty5pU7lkXvMgSDtP1Kf71z 5waoPr7+8sf2uyUx/c42/RFpLIH0gfjg++WcIAXfF9gzmALNwhImvtb8JnRfHHk= =autN -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
