[squid-users] NTLM negotiate + IP authentication caching for heavily used squid deployments...

Hi all,

  We are looking to replace our proxy infrastructure
with squid, but I am concerned about the performance of squid using the
ntlm_auth samba handler (specifically using negotiate). We are almost
ready to do some Loadrunner stress tests, but I wanted to see if anyone
had some base statistics out there? I saw that squid uses authenticate_ip_shortcircuit_ttl in 2.7. Has anyone used the IP caching feature, and are there plans to
port it to the 3.x branch? (we are really after the ICAP functionallity)
 
I am currently investigating a way to push our AD user/group
listings into a flat file tree once a night, so squidGuard can do AD
group lookups locally. That should save authorization cycles, but the
samba authentication is what really worries me... I really wish
kerberos was prevelent enought that we could just force kerberos/Basic,
but that's the way it goes... I don't even know how we could load test
kerberos authentication...

Current deployment:
------------------------------------------------------

squid: 3.0.11
squidGuard: 1.4
samba: 3.2.7
server: RHAS 5.2 64bit (Sunfire 4100 8gigs of ram)

Current configs (squid is not yet optimized)
--------------------------------------------------------------------
http_port xx.xx.x.xxx:8080
tcp_outgoing_address xx.xx.x.xxx

#####################################################################
# AUTHENTICATION
#####################################################################

auth_param negotiate program /dev/pkgs/linux/intel/squid/3.0.11/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

auth_param basic program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 6 hours
auth_param basic casesensitive off

#####################################################################
# ACL'S
#####################################################################

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl java browser Java/1.3 Java/1.4
acl ntlm_users proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access allow java
http_access allow ntlm_users
http_access deny all

#####################################################################
# DNS Settings
#####################################################################

dns_defnames on
dns_nameservers xx.xx.xx.xxx xx.xx.xx.xxx

#####################################################################
#
#####################################################################

hierarchy_stoplist cgi-bin ?
access_log /etrade/pkgs/linux/intel/squid/3.0.11/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /etrade/pkgs/linux/intel/squid/3.0.11/var/cache

#####################################################################
# Squid Guard
#####################################################################

redirect_program /dev/pkgs/linux/intel/squidGuard/1.4/bin/squidGuard
redirect_children 10

#####################################################################
# Kaspersky AV
#####################################################################

icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
acl acl_kav_GET method GET
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET

SAMBA
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# global parameters
 [global]
        # ADS membership settings
        workgroup = DEV
        netbios name = PROXYDEV1
        realm = DEV.COM
        server string = proxydev1.dev.com
        security = ADS
        winbind trusted domains only = yes
        #winbind cache time = 600 # tested samba auth caching, doesn't work for ntlm_auth
        #winbind offline logon = true #
        allow trusted domains = no
        use kerberos keytab = true

        # IdMap settings
        winbind use default domain = yes
        idmap domains = DEV
        idmap config DEV:backend = nss
        idmap config DEV:readonly = yes
        idmap config DEV:default = no

        # security settings
        encrypt passwords = yes
        lm announce = no
        client lanman auth = no
        client ntlmv2 auth = yes
        client plaintext auth = no
        client schannel = yes
        server schannel = yes
        server signing = Auto
        encrypt passwords = yes
        lanman auth = no
        ntlm auth = no
        min protocol = NT1
        max protocol = NT1
        show add printer wizard = no
        load printers = no

Thanks all!

      
Received on Fri May 01 2009 - 14:34:35 MDT