On 24/03/11 22:56, Francisco José Márquez Gómez wrote:
> Hi friends,
>
> I'm suffering a speed problem when I use NTLM for auth users. If I use
> basic auth, all work fine and webpages load almost instantaneous, but
> when I enable NTLM, same webpages can took 10-30seconds to load it....
>
NTLM is designed to take 2x the HTTP traffic just to authenticate.
With older Squid such as yours the connections are often closed very
fast and every re-open has to re-authenticate from scratch.
Turning persistent connections ON can reduce the load a bit. This is
not perfect in older squid, just a reduction.
> I've found some similar cases, but nobody know a solution:
> ---------------------------------------------------------------------------------
>
> http://www.linuxforums.org/forum/servers/165500-squid-very-slow-using-ntlm.html
>
> http://readlist.com/lists/squid-cache.org/squid-users/7/35240.html
>
Those read like people noticing the 2x traffic waste.
> I've used this guide for setup my server:
> -----------------------------------------------------
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>
> My unique changes over squid.conf are this:
> --------------------------------------------------------------
>
> cache_effective_group wbpriv
Setting "cache_effective_group" causes problems with winbind.
In order for Squid and winbind to operate well together this directive
must be not-set.
I see that this is a RHEL package. RHEL patch the cache_effective_group
setting to always have a value. Which prevents your OS security from
assigning a proxy group for web access AND a winbind_priv group for
winbind access.
SOLUTION: self-build a squid without that RHEL patch.
Then on the command line add the Squid low-privilege user to the winbind
privileges group. Details are here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
(mind the wrap)
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive on
>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> acl chglan src 10.31.32.0/24
>
> acl ntlm proxy_auth REQUIRED
> http_access allow chglan ntlm
> -----------------------------------------------------------------
>
That config looks fine.
> and as say the previous mentioned guide, I launch authconfig for setup
> winbind and samba.
>
> Somebody can help me?? Is mandatory for me can remove the stupid
> authentication popup wich show all browser for proxy authentication.
Removing the popup is not possible. As you have seen even NTLM can do
popups. This is because the popup is a browser feature to fetch
credentials when it cannot find any working local ones.
"Single sign-on" works for any auth method. It only requires that the
browser have access to the credentials.
That said the popups are seen with NTLM due to:
1) the browser cannot retrieve NTLM login credentials from the system.
2) the credentials the system gave the browser cannot be validated by
Squid.
3) some older squid had bugs which would reject good credentials (rare)
winbind privilege problems is a likely reason for (2). That wiki page I
referenced has a section on testing the setup. Try all that to see if
you can confirm the problem cause.
incorrect client system configuration is the reason for (1).
(3) is relatively rare. But could be noticed particularly if many
requests were opened simultaneously. Since it bites on double-auth while
squid is waiting for an auth response.
> Prior to squid, we were using MS ISA server and now, users are
> constantly crying because his browsers shows authentication popups each
> time they open it...
This behaviour (*one* popup on a new browser session) indicates that the
users OS is not giving their browser their current machine login to use
for accessing the proxy. (1) above.
FWIW;
Microsoft wrote both NTLM specs and ISA proxy. Other software is still
trying to catch up and cope with their designs. We mostly have the
browser behaviour as a known thing. There are still issues with things
that non-browser Microsoft software do when talking to proxies.
To have a closely comparable Squid vs ISA experience you will need
Squid-3.1.10 or later.
HTH
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5Received on Thu Mar 24 2011 - 13:45:42 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 31 2011 - 12:00:02 MDT