Andrew Struiksma wrote:
> I have setup a reverse proxy which prompts for a password if the client is not on our LAN. I am not sure as to the proper setting of auth_param basic children. I set it to 2 since we will have around 75 users hitting the site from our LAN but probably fewer than 10 simultanious users from the outside. I'm just not sure if I'm correctly understanding how often the helper is actually used by Squid.
>
> Is auth_param basic children only important when a user is actually prompted for a password? Or, is the authentication used everytime a client requests pages from Squid? Does it matter if the client in on our LAN or not?
>
When Squid needs to authenticate a user their details are passed to the
auth helper. It then waits (doing other stuff meanwhile) for the helper
to send back its result.
There are two things which affect performance.
A) children - number of helpers squid can send data to.
B) helper concurrency - number of requests squid is allowed to queue
up for a single helper.
Squid can only handle up to A x B requests which need authenticating at
any given time. More requests than that will get an error message.
It's a trade off for how fast your helper can work (ie how long things
might wait in the queue) against how many helpers you can run in
parallel before server CPU cut is noticeable.
NP: Some helpers though have a max concurrency of 1.
Amos
> Thanks!
>
> Andrew
>
> ---squid.conf---------------
> http_port my_ip:80 defaultsite=webserver.company.com
> https_port my_ip:443 cert=/etc/apache2/ssl/webserver.company.com.cert key=/etc/apache2/ssl/webserver.company.com.key defaultsite=webserver.company.com
>
> #redirects all http traffic to https
> acl port80 myport 80
> deny_info https://webserver.company.com port80
> http_access deny port80
>
> #reverse proxy
> cache_peer webserver.company.com parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
> acl our_sites dstdomain webserver.company.com
> acl all src 0.0.0.0/0.0.0.0
>
> auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=company,dc=com" -D "cn=squid_user,cn=Users,dc=company,dc=com" -w "password" -f sAMAccountName=%s -h 192.168.1.2
> auth_param basic children 2
> auth_param basic realm Our web site
> auth_param basic credentialsttl 2 hours
>
> #these networks can access webserver without authenticating
> acl trusted_nets src 192.168.1.0/24
>
> acl ldap_users proxy_auth REQUIRED
>
> http_access allow trusted_nets our_sites
> http_access allow ldap_users our_sites
>
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> never_direct allow our_sites
> ----------------------
>
-- Please use Squid 2.7.STABLE4 or 3.0.STABLE9Received on Tue Oct 07 2008 - 05:24:35 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 07 2008 - 12:00:03 MDT