Just to update the thread.
A basic CLI test showed it's not an issue related to anything in the
LDAP helpers or settings.
The issue was IPV6 network level issue, there was a default gateway but
for some unknown reason there was no IPV6 connectivity.
The test host could be any host with both IPV6 and IPV4 dns records that
has at-least one IPV6 record. Due to request_start_timeout default of 5
minutes the site took about 5 minutes to show up after the IPV6 try was
timed out.
The basic way to test it is running a simple script on the host machine
that will test IPV6 connectivity. The right way to do that should be
using a basic IPV6 ping like this script:
- http://paste.ngtech.co.il/pxizenek2
- http://ngtech.co.il/squid/ipv6_test.sh
But since it is known that opening the whole IPV6 ICMP protocol in
FireWalls opens network vulnerabilities it is commonly disabled(while it
be opened properly) and there for makes it's an issue to test IPV6
connectivity based only on ICMP.
Example ip6tables ICMPv6 rules that will allow a router to pass a basic
ping6 test:
ip6tables -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j
ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j DROP
Later I will upgrade the script to test tcp\http level connectivity so
it will be more useful as a debugging tool.
* http://www.squid-cache.org/Doc/config/request_start_timeout/
* https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
* https://www.sixxs.net/wiki/IPv6_Firewalling
On 29/01/2016 03:50, Nando Mendonca wrote:
Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions?
Thanks,
Nando
On Jan 25, 2016, at 10:07 AM, Anders Gustafsson <Anders.Gustafsson@xxxxxxxxx> wrote:
Do a packet trace on the LDAP connection. I bet the delay happens there. Also: I suspect that it might do the same LDAP lookup for EVERY HTTP session of which there might be thousands for a complex page.
nando mendonca <nandomendonca007@xxxxxxxxx> 2016-01-25 17:52 >>>
I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users