Re: [squid-users] Slow performance when enable NTLM auth

From: Fran M�rquez <fjmarquez.ext_at_chguadalquivir.es>
Date: Thu, 31 Mar 2011 13:04:19 +0200

I've fixed the problem using my other DC in samba configuration.
Probably the main DC is busy due to other process/applications auth
petitions and is the cause of this poor performance.

Regards,
F.J

El 24/03/2011 14:45, Amos Jeffries escribi�:
> On 24/03/11 22:56, Francisco Jos� M�rquez G�mez wrote:
>> Hi friends,
>>
>> I'm suffering a speed problem when I use NTLM for auth users. If I use
>> basic auth, all work fine and webpages load almost instantaneous, but
>> when I enable NTLM, same webpages can took 10-30seconds to load it....
>>
>
> NTLM is designed to take 2x the HTTP traffic just to authenticate.
> With older Squid such as yours the connections are often closed very
> fast and every re-open has to re-authenticate from scratch.
> Turning persistent connections ON can reduce the load a bit. This is
> not perfect in older squid, just a reduction.
>
>> I've found some similar cases, but nobody know a solution:
>> ---------------------------------------------------------------------------------
>>
>>
>> http://www.linuxforums.org/forum/servers/165500-squid-very-slow-using-ntlm.html
>>
>>
>> http://readlist.com/lists/squid-cache.org/squid-users/7/35240.html
>>
>
> Those read like people noticing the 2x traffic waste.
>
>
>> I've used this guide for setup my server:
>> -----------------------------------------------------
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>>
>> My unique changes over squid.conf are this:
>> --------------------------------------------------------------
>>
>> cache_effective_group wbpriv
>
> Setting "cache_effective_group" causes problems with winbind.
>
> In order for Squid and winbind to operate well together this
> directive must be not-set.
>
> I see that this is a RHEL package. RHEL patch the
> cache_effective_group setting to always have a value. Which prevents
> your OS security from assigning a proxy group for web access AND a
> winbind_priv group for winbind access.
> SOLUTION: self-build a squid without that RHEL patch.
>
> Then on the command line add the Squid low-privilege user to the
> winbind privileges group. Details are here:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
>
>
> (mind the wrap)
>
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 50
>> auth_param ntlm keep_alive on
>>
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>
>> acl chglan src 10.31.32.0/24
>>
>> acl ntlm proxy_auth REQUIRED
>> http_access allow chglan ntlm
>> -----------------------------------------------------------------
>>
>
> That config looks fine.
>
>> and as say the previous mentioned guide, I launch authconfig for setup
>> winbind and samba.
>>
>> Somebody can help me?? Is mandatory for me can remove the stupid
>> authentication popup wich show all browser for proxy authentication.
>
> Removing the popup is not possible. As you have seen even NTLM can do
> popups. This is because the popup is a browser feature to fetch
> credentials when it cannot find any working local ones.
> "Single sign-on" works for any auth method. It only requires that the
> browser have access to the credentials.
>
> That said the popups are seen with NTLM due to:
> 1) the browser cannot retrieve NTLM login credentials from the system.
> 2) the credentials the system gave the browser cannot be validated by
> Squid.
> 3) some older squid had bugs which would reject good credentials (rare)
>
> winbind privilege problems is a likely reason for (2). That wiki page
> I referenced has a section on testing the setup. Try all that to see
> if you can confirm the problem cause.
>
> incorrect client system configuration is the reason for (1).
>
> (3) is relatively rare. But could be noticed particularly if many
> requests were opened simultaneously. Since it bites on double-auth
> while squid is waiting for an auth response.
>
>
>> Prior to squid, we were using MS ISA server and now, users are
>> constantly crying because his browsers shows authentication popups each
>> time they open it...
>
> This behaviour (*one* popup on a new browser session) indicates that
> the users OS is not giving their browser their current machine login
> to use for accessing the proxy. (1) above.
>
>
> FWIW;
> Microsoft wrote both NTLM specs and ISA proxy. Other software is
> still trying to catch up and cope with their designs. We mostly have
> the browser behaviour as a known thing. There are still issues with
> things that non-browser Microsoft software do when talking to proxies.
>
> To have a closely comparable Squid vs ISA experience you will need
> Squid-3.1.10 or later.
>
>
> HTH
> Amos
Received on Thu Mar 31 2011 - 11:04:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 31 2011 - 12:00:02 MDT