Re: [squid-users] Squid3 / NTLM / token id cache from Amos Jeffries on 2009-07-21 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 22 Jul 2009 16:01:07 +1200

On Tue, 21 Jul 2009 09:47:48 -0300, "Soporte Técnico @lemNet"
<soporte_at_nodoalem.com.ar> wrote:
> rep_mime_type can´t be used for parent selection because this is
evaluated
> before content has been reached ?
>
> This is true ?

No. It can't be evaluated because selecting a source is based on the
_request_.

And what does this have to do with reducing NTLM authentication workload?

Amos

>
> Jorge.
>
>
> ----- Original Message -----
> From: "Frederic THOMAS" <frederic.thomas_at_atosorigin.com>
> To: <squid-users_at_squid-cache.org>
> Sent: Tuesday, July 21, 2009 9:18 AM
> Subject: [squid-users] Squid3 / NTLM / token id cache
>
>
>> Hello,
>>
>>
>> I've installed 2 Squid 3.0.STABLE5 + samba-winbind on a mandriva 2008.1
>> with ntlm authentification .
>> It works, clients are able to surf on the web using the Proxy and
>> usernames are correctly logged.
>> But we experienced some latency issues on websites. When i look into
>> access.log file i observe a lot of 407 authentification request. So i
>> read
>> about ntlm authentification and see that there is an authentification
>> request for each connection. There is nearly 6000 users on the 2 squid
>> servers and i have noticed there's some great traffic between squid
boxes
>>
>> and AD server, which is expected, because of the authentication traffic.
>> On previous version we could use following settings (ntlm parameters on
>> 2.5 squid and i noticed they didnt exists after 2.6) :
>>
>> "max_challenge_reuses" number
>> "max_challenge_lifetime" timespan
>>
>> What similar option on squid 3 can be used to reduce authentication
>> traffic ? Is there any solution to avoid an authentification request to
>> each connection and have a possibility to reuse a token id ?
>>
>> * Squid.conf :
>>
>> auth_param ntlm program
>> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 80
>> auth_param ntlm keep_alive on
>>
>> auth_param basic program
>> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid AD
>> auth_param basic credentialsttl 2 hours
>>
>> * What i found on cache.log files :
>>
>> libsmb/ntlmssp.c:ntlmssp_update(327)
>> Failed to parse NTLMSSP packet, could not extract NTLMSSP command (~=
>> each
>> second)
>>
>>
>> Regards,
>>
>> Frederic THOMAS
>>
>>
Received on Wed Jul 22 2009 - 04:01:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 22 2009 - 12:00:05 MDT