On 9/11/21 01:19, heimarbeit123.99@xxxxxx wrote:
Hello all,
I finaly got a squid proxy with kerberos authentification and LDAP group
check to work! With a small amount of clients(1-10) everything works as
it should and the squid is fast(no noticeable waiting time for websites
to open). Users get authenticated, different AD groups can access the
internet with blacklists/whitelists/full access and so on..
But as soon as I make the whole company(round about 80 clients) use the
new proxy, it begins to be very slow. And by very slow I mean like 1-2
minutes waiting time(response time in access.log is like 60000-270000
milliseconds for TCP_TUNNEL) until a website is fully loaded.
That could just mean the entire website was loaded through that one
tunnel. Which is often the case if the clients are using HTTP/2 or HTTPS
at version 1.1 through it.
We got a
old squid proxy too, but without any authentication (just some dstdomain
in general) and it's working great. But the new one is very slow..
Btw. some of our clients have ipv6, others ipv4(~90%)..There were no
errors in cache.log(activated it for some minutes with debug ALL for
error checking).
ALL at what level? "ALL,0" log barely anything on a working proxy, but
will definitely complain about critical problems.
Can anyone help?
What I tried so far:
dns_v4_first on at the very end/very beginning from squid.conf
enable/disable (memory) caching
use Google DNS instead of our own
That can be a recipe for slowness. Since the Google DNS service produces
different responses to every request - even identical repeated ones.
connect_timeout 3 seconds
Nothing realy helped..
Here is my squid.conf:
######### allowed port part ########################
acl Allowed_port port 80 # http
acl Allowed_port port 21 # ftp
acl Allowed_port port 443 # https
acl Allowed_port port 70 # gopher
acl Allowed_port port 210 # wais
acl Allowed_port port 1025-65535 # unregistered ports
acl Allowed_port port 280 # http-mgmt
acl Allowed_port port 488 # gss-http
acl Allowed_port port 591 # filemaker
acl Allowed_port port 777 # multiling http
acl Allowed_port port 10000 # Proofpoint
acl CONNECT method CONNECT
http_access deny CONNECT !Allowed_port
Please no. The default security protections were created to cover a
range of security risks commonly seen in Internet traffic.
# forbids touching protocols that can be confused with HTTP
http_access deny !Safe_ports
# prevent arbitrary exfiltration from malware in the network.
http_access deny CONNECT !SSL_ports
##################### cache/logs ########################
cache_log /dev/null
Do set that to an actual file. You may find the thing causing your
problems is detectable by Squid.
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
cache deny all
coredump_dir /dev/null
Core dumps are something you should probably disable at the system level
instead if you don't want them. Writing all that can be quite time
consuming, even to /dev/null.
cache_dir null /dev/null
"null" cache type does not exist anymore. That is one thing your
cache.log should be warning you about if you could see it.
cache_store_log none
This is a default in all current Squid.
########## Debug ########################
#debug_options ALL,1 33,2 28,9
######################### squid-port #######
http_port 3128 #proxy port
authenticate_ttl 2 hours #auth timeout
squid->passwd_server
acl black_regex url_regex "/etc/squid/regex_black.acl"
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
############################# allow License Managers ##########
http_access allow license_regex all
The " all" at the end of this line is pointless. Authentication is not
being performed by the regex ACL listed.
################### Kerberos ##################################
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm
/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s
HTTP/proxy.domain.tld@xxxxxxxxxx
auth_param negotiate children 200
You should not need 200 helpers for 80 users with Kerberos operational.
auth_param negotiate keep_alive on
########################## Allow based on group membership ######
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all
FYI: the " all" ACL check at the end of this line forbids Squid sending
the 40x challenge which triggers popups. Users will be getting full
rejection 403 instead if they match this line.
# Define external acl for group check
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120
children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))"
\
-h 192.0.1.1
acl Users_Internet_Users external ldap_group Users
http_access allow Users_Internet_Users !black_regex
The above performs the slowest ACL test first. It can be optimized as:
http_access allow !black_regex Users_Internet_Users all
http_access deny all
dns_v4_first on
connect_timeout 3 seconds
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
