[squid-users] Slow performance when enable NTLM auth from Francisco José Márquez Gómez on 2011-03-24 (squid-users)

From: Francisco José Márquez Gómez <fjmarquez.ext_at_chguadalquivir.es>
Date: Thu, 24 Mar 2011 10:56:50 +0100

Hi friends,

I'm suffering a speed problem when I use NTLM for auth users. If I use
basic auth, all work fine and webpages load almost instantaneous, but
when I enable NTLM, same webpages can took 10-30seconds to load it....

I've found some similar cases, but nobody know a solution:
---------------------------------------------------------------------------------
http://www.linuxforums.org/forum/servers/165500-squid-very-slow-using-ntlm.html
http://readlist.com/lists/squid-cache.org/squid-users/7/35240.html

I've used this guide for setup my server:
-----------------------------------------------------
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5

My unique changes over squid.conf are this:
--------------------------------------------------------------

cache_effective_group wbpriv

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl chglan src 10.31.32.0/24

acl ntlm proxy_auth REQUIRED
http_access allow chglan ntlm
-----------------------------------------------------------------

and as say the previous mentioned guide, I launch authconfig for setup
winbind and samba.

Somebody can help me?? Is mandatory for me can remove the stupid
authentication popup wich show all browser for proxy authentication.
Prior to squid, we were using MS ISA server and now, users are
constantly crying because his browsers shows authentication popups each
time they open it...

Regards,
F.J

-----------------------
More info:
------------------------

HW:
--------------------------------
VMware ESX virtual machine with:
- 1 vProcesor (2Ghz reserved)
- 4GB of RAM
- 10GB of HD
- vNIC Gigabit

SO:
---------------------------------
Red Hat Enterprise Linux 5.6 x86_64
Linux proxy.domain 2.6.18-238.5.1.el5 #1 SMP Mon Feb 21 05:52:39 EST
2011 x86_64 x86_64 x86_64 GNU/Linux

Squid:
-----------------------------------------
Squid Cache: Version 2.6.STABLE21
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl'
'--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge'
'--enable-useragent-log' '--enable-referer-log'
'--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost'
'--enable-underscores'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-cache-digests' '--enable-ident-lookups'
'--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config'
'--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2 -fPIE
-Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'

package info:

Name : squid
Arch : x86_64
Epoch : 7
Version : 2.6.STABLE21
Release : 6.el5
Size : 3.7 M
Repo : installed

Samba:
------------
Name : samba3x
Arch : x86_64
Version : 3.5.4
Release : 0.70.el5_6.1
Size : 5.9 M
Repo : rhel-x86_64-server-5 (not installed)

Name : samba3x-common
Arch : x86_64
Version : 3.5.4
Release : 0.70.el5_6.1
Size : 49 M
Repo : installed

Name : samba3x-winbind
Arch : x86_64
Version : 3.5.4
Release : 0.70.el5_6.1
Size : 12 M
Repo : installed

mgr:info output (is not real scenario, currently only few user are using
it, so the load is very low, but even so, the performance is very poor):
---------------------------------------------------------------------------
squidclient -p 3128 mgr:info
HTTP/1.0 200 OK
Server: squid/2.6.STABLE21
Date: Thu, 24 Mar 2011 09:42:22 GMT
Content-Type: text/plain
Expires: Thu, 24 Mar 2011 09:42:22 GMT
Last-Modified: Thu, 24 Mar 2011 09:42:22 GMT
X-Cache: MISS from proxy.domain
X-Cache-Lookup: MISS from proxy.domain:3128
Via: 1.0 fresneda.chg:3128 (squid/2.6.STABLE21)
Proxy-Connection: close

Squid Object Cache: Version 2.6.STABLE21
Start Time: Thu, 24 Mar 2011 08:10:23 GMT
Current Time: Thu, 24 Mar 2011 09:42:22 GMT
Connection information for squid:
         Number of clients accessing cache: 4
         Number of HTTP requests received: 4785
         Number of ICP messages received: 0
         Number of ICP messages sent: 0
         Number of queued ICP replies: 0
         Request failure ratio: 0.00
         Average HTTP requests per minute since start: 52.0
         Average ICP messages per minute since start: 0.0
         Select loop called: 50357 times, 109.595 ms avg
Cache information for squid:
         Request Hit Ratios: 5min: 1.6%, 60min: 24.6%
         Byte Hit Ratios: 5min: 30.9%, 60min: 63.4%
         Request Memory Hit Ratios: 5min: 0.0%, 60min: 3.1%
         Request Disk Hit Ratios: 5min: 0.0%, 60min: 68.6%
         Storage Swap size: 44980 KB
         Storage Mem size: 976 KB
         Mean Object Size: 13.34 KB
         Requests given to unlinkd: 232
Median Service Times (seconds) 5 min 60 min:
         HTTP Requests (All): 0.01469 0.01387
         Cache Misses: 0.02317 0.03066
         Cache Hits: 0.00000 0.00919
         Near Hits: 0.04776 0.07409
         Not-Modified Replies: 0.00000 0.00286
         DNS Lookups: 0.01098 0.02130
         ICP Queries: 0.00000 0.00000
Resource usage for squid:
         UP Time: 5518.860 seconds
         CPU Time: 2.446 seconds
         CPU Usage: 0.04%
         CPU Usage, 5 minute avg: 0.06%
         CPU Usage, 60 minute avg: 0.04%
         Process Data Segment Size via sbrk(): 5272 KB
         Maximum Resident Size: 36432 KB
         Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
         Total space in arena: 5404 KB
         Ordinary blocks: 5319 KB 28 blks
         Small blocks: 0 KB 0 blks
         Holding blocks: 356 KB 1 blks
         Free Small blocks: 0 KB
         Free Ordinary blocks: 85 KB
         Total in use: 5675 KB 99%
         Total free: 85 KB 1%
         Total size: 5760 KB
Memory accounted for:
         Total accounted: 2308 KB
         memPoolAlloc calls: 572398
         memPoolFree calls: 557317
File descriptor usage for squid:
         Maximum number of file descriptors: 1024
         Largest file desc currently in use: 68
         Number of file desc currently in use: 65
         Files queued for open: 0
         Available number of file descriptors: 959
         Reserved number of file descriptors: 100
         Store Disk files open: 0
         IO loop method: epoll
Internal Data Structures:
           3401 StoreEntries
            201 StoreEntries with MemObjects
            200 Hot Object Cache Items
           3372 on-disk objects
Received on Thu Mar 24 2011 - 09:57:02 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 24 2011 - 12:00:04 MDT