Hello all,
I finaly got a squid proxy with kerberos authentification and LDAP group check to work! With a small amount of clients(1-10) everything works as it should and the squid is fast(no noticeable waiting time for websites to open). Users get authenticated, different AD groups can access the internet with blacklists/whitelists/full access and so on..
But as soon as I make the whole company(round about 80 clients) use the new proxy, it begins to be very slow. And by very slow I mean like 1-2 minutes waiting time(response time in access.log is like 60000-270000 milliseconds for TCP_TUNNEL) until a website is fully loaded. We got a old squid proxy too, but without any authentication (just some dstdomain in general) and it's working great. But the new one is very slow..
Btw. some of our clients have ipv6, others ipv4(~90%)..There were no errors in cache.log(activated it for some minutes with debug ALL for error checking).
Can anyone help?
What I tried so far:
dns_v4_first on at the very end/very beginning from squid.conf
enable/disable (memory) caching
use Google DNS instead of our own
connect_timeout 3 seconds
Nothing realy helped..
Here is my squid.conf:
######### allowed port part ########################
acl Allowed_port port 80 # http
acl Allowed_port port 21 # ftp
acl Allowed_port port 443 # https
acl Allowed_port port 70 # gopher
acl Allowed_port port 210 # wais
acl Allowed_port port 1025-65535 # unregistered ports
acl Allowed_port port 280 # http-mgmt
acl Allowed_port port 488 # gss-http
acl Allowed_port port 591 # filemaker
acl Allowed_port port 777 # multiling http
acl Allowed_port port 10000 # Proofpoint
acl CONNECT method CONNECT
http_access deny CONNECT !Allowed_port
acl Allowed_port port 80 # http
acl Allowed_port port 21 # ftp
acl Allowed_port port 443 # https
acl Allowed_port port 70 # gopher
acl Allowed_port port 210 # wais
acl Allowed_port port 1025-65535 # unregistered ports
acl Allowed_port port 280 # http-mgmt
acl Allowed_port port 488 # gss-http
acl Allowed_port port 591 # filemaker
acl Allowed_port port 777 # multiling http
acl Allowed_port port 10000 # Proofpoint
acl CONNECT method CONNECT
http_access deny CONNECT !Allowed_port
##################### cache/logs ########################
cache_log /dev/null
#logfile_rotate 0
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
#cache_dir aufs /var/spool/squid 16384 32 512
#cache_mem 8 MB
#maximum_object_size_in_memory 64 KB
#maximum_object_size 4 MB
#coredump_dir /var/spool/squid
cache_log /dev/null
#logfile_rotate 0
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
#cache_dir aufs /var/spool/squid 16384 32 512
#cache_mem 8 MB
#maximum_object_size_in_memory 64 KB
#maximum_object_size 4 MB
#coredump_dir /var/spool/squid
cache deny all
coredump_dir /dev/null
cache_dir null /dev/null
cache_store_log none
coredump_dir /dev/null
cache_dir null /dev/null
cache_store_log none
########## Debug ########################
#debug_options ALL,1 33,2 28,9
#debug_options ALL,1 33,2 28,9
######################### squid-port #######
http_port 3128 #proxy port
http_port 3128 #proxy port
authenticate_ttl 2 hours #auth timeout squid->passwd_server
#acl localhost src 192.168.2.2 #proxy IP
#follow_x_forwarded_for allow localhost #trust localhost
#follow_x_forwarded_for allow localhost #trust localhost
#general allow everything
#acl whole_company src 192.0.0.0-192.255.255.254
#http_access allow whole_company
#acl whole_company src 192.0.0.0-192.255.255.254
#http_access allow whole_company
############### url_regex ####
acl black_regex url_regex "/etc/squid/regex_black.acl"
#http_access allow white_regexp
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
acl black_regex url_regex "/etc/squid/regex_black.acl"
#http_access allow white_regexp
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
############################# allow License Managers ##########
http_access allow license_regex all
http_access allow license_regex all
################### Kerberos ##################################
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx
auth_param negotiate children 200
auth_param negotiate keep_alive on
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx
auth_param negotiate children 200
auth_param negotiate keep_alive on
########################## Allow based on group membership ######
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all
# Define external acl for group check
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" \
-h 192.0.1.1
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" \
-h 192.0.1.1
## check whitelist group
#acl whitelist_Internet_Users external ldap_group whitelist
#http_access allow whitelist_Internet_Users white_regex
#acl whitelist_Internet_Users external ldap_group whitelist
#http_access allow whitelist_Internet_Users white_regex
## check blacklist group
#acl blacklist_Internet_Users external ldap_group blacklist
#http_access allow blacklist_Internet_Users !black_regex
#acl blacklist_Internet_Users external ldap_group blacklist
#http_access allow blacklist_Internet_Users !black_regex
## check full_access group
#acl full_access_Internet_Users external ldap_group full_access
#http_access allow full_access_Internet_Users all
#acl full_access_Internet_Users external ldap_group full_access
#http_access allow full_access_Internet_Users all
## check Users group
acl Users_Internet_Users external ldap_group Users
http_access allow Users_Internet_Users !black_regex
acl Users_Internet_Users external ldap_group Users
http_access allow Users_Internet_Users !black_regex
http_access deny all
dns_v4_first on
connect_timeout 3 seconds
connect_timeout 3 seconds
Regards!
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
