Search squid archive

Re: squid 3.1 ldap authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just to update the thread.

A basic CLI test showed it's not an issue related to anything in the LDAP helpers or settings. The issue was IPV6 network level issue, there was a default gateway but for some unknown reason there was no IPV6 connectivity. The test host could be any host with both IPV6 and IPV4 dns records that has at-least one IPV6 record. Due to request_start_timeout default of 5 minutes the site took about 5 minutes to show up after the IPV6 try was timed out. The basic way to test it is running a simple script on the host machine that will test IPV6 connectivity. The right way to do that should be using a basic IPV6 ping like this script:
- http://paste.ngtech.co.il/pxizenek2
- http://ngtech.co.il/squid/ipv6_test.sh

But since it is known that opening the whole IPV6 ICMP protocol in FireWalls opens network vulnerabilities it is commonly disabled(while it be opened properly) and there for makes it's an issue to test IPV6 connectivity based only on ICMP.

Example ip6tables ICMPv6 rules that will allow a router to pass a basic ping6 test: ip6tables -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j DROP

Later I will upgrade the script to test tcp\http level connectivity so it will be more useful as a debugging tool.

* http://www.squid-cache.org/Doc/config/request_start_timeout/
* https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
* https://www.sixxs.net/wiki/IPv6_Firewalling

On 29/01/2016 03:50, Nando Mendonca wrote:
Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions?

Thanks,
Nando

On Jan 25, 2016, at 10:07 AM, Anders Gustafsson <Anders.Gustafsson@xxxxxxxxx> wrote:

Do a packet trace on the LDAP connection. I bet the delay happens there. Also: I suspect that it might do the same LDAP lookup for EVERY HTTP session of which there might be thousands for a complex page.


nando mendonca <nandomendonca007@xxxxxxxxx> 2016-01-25 17:52 >>>
I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux