At first thank you for your tips about the config!
So I figured out, that everything was not kerberos-authenticated, but ntlm-authenticated, so I had to adjust my config a bit, because I've heard in another thread here, that actually using kerberos is a lot faster than NTLM.
Old part:
> auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm
> /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s
> HTTP/proxy.domain.tld@xxxxxxxxxx
> auth_param negotiate children 200
> /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s
> HTTP/proxy.domain.tld@xxxxxxxxxx
> auth_param negotiate children 200
New part:
auth_param negotiate program /lib/Squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx -k /etc/squid/krb5.keytab
auth_param negotiate children 100 startup=10 idle=3
auth_param negotiate keep_alive on
auth_param negotiate children 100 startup=10 idle=3
auth_param negotiate keep_alive on
But then I got warnings about NTLM 1 tokens in my cache.log and authentication didn't work at all. After a bit of research I figured out not to write the IP from the proxy, but the FQDN from the proxy inside the client proxy settings. That makes sense, because in Microsoft Outlook using Kerberos you have to do that too. It does not work with IPs, only with FQDN. So I guess it is a kerberos "issue".
So everything works as it should and squid is a lot faster(could not test yet if fast enough) because of that kerberos auth. But now I got another problem: My access.log does not get filled! :(
I did:
chmod 644 /var/log/squid/access.log
chown squid:squid /var/log/squid/access.log
but nothing helped and there are no errors inside the cache.log, even with "debug ALL", so I guess it's not a permission problem. With the old NTLM auth and the IP from the squid proxy inside the client proxy settings the access.log gets filled up. But as soon as I switch to my new kerberos auth and the proxy-FQDN inside the client(windows) proxy settings, access.log will not get written anymore.
Can anyone help?
My current squid.conf(thanks again to Amos Jeffries!):
######### allowed port part ########################
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
##################### cache/logs ########################
cache_log /var/log/squid/cache.log
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
access_log /var/log/squid/access.log myformat
cache deny all
coredump_dir /dev/null
coredump_dir /dev/null
cache_dir aufs /var/spool/squid 100 16 256
########## Debug ########################
#debug_options ALL,1 33,2 28,9
#debug_options ALL,1 33,2 28,9
######################### squid-port #######
http_port 3128 #proxy port
authenticate_ttl 2 hours #auth timeout
http_port 3128 #proxy port
authenticate_ttl 2 hours #auth timeout
acl black_regex url_regex "/etc/squid/regex_black.acl"
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
############################# allow License Managers ##########
http_access allow license_regex
http_access allow license_regex
################### Kerberos ##################################
auth_param negotiate program /lib/Squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx -k /etc/squid/krb5.keytab
auth_param negotiate children 100 startup=10 idle=3
auth_param negotiate keep_alive on
auth_param negotiate program /lib/Squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx -k /etc/squid/krb5.keytab
auth_param negotiate children 100 startup=10 idle=3
auth_param negotiate keep_alive on
########################## Allow based on group membership ######
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users
# Define external acl for group check
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120
children-max=100 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))"
\
-h 192.0.1.1
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120
children-max=100 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))"
\
-h 192.0.1.1
acl Users_Internet_Users external ldap_group Users
http_access allow !black_regex Users_Internet_Users all
http_access allow !black_regex Users_Internet_Users all
http_access deny all
dns_v4_first on
connect_timeout 3 seconds
connect_timeout 3 seconds
Regards
Gesendet: Dienstag, 09. November 2021 um 08:38 Uhr
Von: heimarbeit123.99@xxxxxx
An: heimarbeit123.99@xxxxxx
Betreff: Aw: Squid very slow with kerberos auth and LDAP Group Search(AD)
Von: heimarbeit123.99@xxxxxx
An: heimarbeit123.99@xxxxxx
Betreff: Aw: Squid very slow with kerberos auth and LDAP Group Search(AD)
Edit:
I also tried with kerberos auth only.
auth_param negotiate program /lib/squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx
but then I can not authenticate anyone, because cache.log says "Warning: Received NTLM 1 Token". That's why I did with ntlm_auth, even though I read, that ntlm is way slower than kerberos. That could cause these waiting times too with 60+ clients but I don't quite know how to handle this..
Maybe someone can help.
Regards
Gesendet: Montag, 08. November 2021 um 13:19 Uhr
Von: heimarbeit123.99@xxxxxx
An: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Squid very slow with kerberos auth and LDAP Group Search(AD)
Von: heimarbeit123.99@xxxxxx
An: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Squid very slow with kerberos auth and LDAP Group Search(AD)
Hello all,
I finaly got a squid proxy with kerberos authentification and LDAP group check to work! With a small amount of clients(1-10) everything works as it should and the squid is fast(no noticeable waiting time for websites to open). Users get authenticated, different AD groups can access the internet with blacklists/whitelists/full access and so on..
But as soon as I make the whole company(round about 80 clients) use the new proxy, it begins to be very slow. And by very slow I mean like 1-2 minutes waiting time(response time in access.log is like 60000-270000 milliseconds for TCP_TUNNEL) until a website is fully loaded. We got a old squid proxy too, but without any authentication (just some dstdomain in general) and it's working great. But the new one is very slow..
Btw. some of our clients have ipv6, others ipv4(~90%)..There were no errors in cache.log(activated it for some minutes with debug ALL for error checking).
Can anyone help?
What I tried so far:
dns_v4_first on at the very end/very beginning from squid.conf
enable/disable (memory) caching
use Google DNS instead of our own
connect_timeout 3 seconds
Nothing realy helped..
Here is my squid.conf:
######### allowed port part ########################
acl Allowed_port port 80 # http
acl Allowed_port port 21 # ftp
acl Allowed_port port 443 # https
acl Allowed_port port 70 # gopher
acl Allowed_port port 210 # wais
acl Allowed_port port 1025-65535 # unregistered ports
acl Allowed_port port 280 # http-mgmt
acl Allowed_port port 488 # gss-http
acl Allowed_port port 591 # filemaker
acl Allowed_port port 777 # multiling http
acl Allowed_port port 10000 # Proofpoint
acl CONNECT method CONNECT
http_access deny CONNECT !Allowed_port
acl Allowed_port port 80 # http
acl Allowed_port port 21 # ftp
acl Allowed_port port 443 # https
acl Allowed_port port 70 # gopher
acl Allowed_port port 210 # wais
acl Allowed_port port 1025-65535 # unregistered ports
acl Allowed_port port 280 # http-mgmt
acl Allowed_port port 488 # gss-http
acl Allowed_port port 591 # filemaker
acl Allowed_port port 777 # multiling http
acl Allowed_port port 10000 # Proofpoint
acl CONNECT method CONNECT
http_access deny CONNECT !Allowed_port
##################### cache/logs ########################
cache_log /dev/null
#logfile_rotate 0
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
#cache_dir aufs /var/spool/squid 16384 32 512
#cache_mem 8 MB
#maximum_object_size_in_memory 64 KB
#maximum_object_size 4 MB
#coredump_dir /var/spool/squid
cache_log /dev/null
#logfile_rotate 0
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
access_log /var/log/squid/access.log myformat
#cache_dir aufs /var/spool/squid 16384 32 512
#cache_mem 8 MB
#maximum_object_size_in_memory 64 KB
#maximum_object_size 4 MB
#coredump_dir /var/spool/squid
cache deny all
coredump_dir /dev/null
cache_dir null /dev/null
cache_store_log none
coredump_dir /dev/null
cache_dir null /dev/null
cache_store_log none
########## Debug ########################
#debug_options ALL,1 33,2 28,9
#debug_options ALL,1 33,2 28,9
######################### squid-port #######
http_port 3128 #proxy port
http_port 3128 #proxy port
authenticate_ttl 2 hours #auth timeout squid->passwd_server
#acl localhost src 192.168.2.2 #proxy IP
#follow_x_forwarded_for allow localhost #trust localhost
#follow_x_forwarded_for allow localhost #trust localhost
#general allow everything
#acl whole_company src 192.0.0.0-192.255.255.254
#http_access allow whole_company
#acl whole_company src 192.0.0.0-192.255.255.254
#http_access allow whole_company
############### url_regex ####
acl black_regex url_regex "/etc/squid/regex_black.acl"
#http_access allow white_regexp
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
acl black_regex url_regex "/etc/squid/regex_black.acl"
#http_access allow white_regexp
acl white_regex url_regex "/etc/squid/regex_white.acl"
acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
############################# allow License Managers ##########
http_access allow license_regex all
http_access allow license_regex all
################### Kerberos ##################################
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx
auth_param negotiate children 200
auth_param negotiate keep_alive on
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s HTTP/proxy.domain.tld@xxxxxxxxxx
auth_param negotiate children 200
auth_param negotiate keep_alive on
########################## Allow based on group membership ######
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all
# Authentication required, otherwise Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all
# Define external acl for group check
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" \
-h 192.0.1.1
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
-b "ou=Users,DC=domain,DC=tld" \
-D "ProxyUser@xxxxxxxxxx" \
-W /etc/squid/authfile \
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" \
-h 192.0.1.1
## check whitelist group
#acl whitelist_Internet_Users external ldap_group whitelist
#http_access allow whitelist_Internet_Users white_regex
#acl whitelist_Internet_Users external ldap_group whitelist
#http_access allow whitelist_Internet_Users white_regex
## check blacklist group
#acl blacklist_Internet_Users external ldap_group blacklist
#http_access allow blacklist_Internet_Users !black_regex
#acl blacklist_Internet_Users external ldap_group blacklist
#http_access allow blacklist_Internet_Users !black_regex
## check full_access group
#acl full_access_Internet_Users external ldap_group full_access
#http_access allow full_access_Internet_Users all
#acl full_access_Internet_Users external ldap_group full_access
#http_access allow full_access_Internet_Users all
## check Users group
acl Users_Internet_Users external ldap_group Users
http_access allow Users_Internet_Users !black_regex
acl Users_Internet_Users external ldap_group Users
http_access allow Users_Internet_Users !black_regex
http_access deny all
dns_v4_first on
connect_timeout 3 seconds
connect_timeout 3 seconds
Regards!
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
