AW: [squid-users] AW: any chance to optimize squid3? from Fuhrmann, Marcel on 2013-02-07 (squid-users)

From: Fuhrmann, Marcel <Marcel.Fuhrmann_at_lux.ag>
Date: Thu, 7 Feb 2013 10:22:28 +0000

Hello,

at the moment some users are using my new proxy (with kerberos auth instead of NTLM). There is just one unlikely thing yet. First time browser starts (start page google) it takes several seconds till google page is loaded. When I continue browsing to another page, this delay isn't noticeable. I suspect It has to do with the initial authentication. Is this normal or can I adjust some config?

This is my config for Kerberos:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

Thanks for helping me.

-----Ursprüngliche Nachricht-----
Von: Fuhrmann, Marcel [mailto:Marcel.Fuhrmann_at_lux.ag]
Gesendet: Samstag, 2. Februar 2013 11:04
An: squid-users_at_squid-cache.org
Betreff: AW: [squid-users] AW: any chance to optimize squid3?

Hi Amos,

finally i've configured Kerberos auth and ldap group check. In a few weeks I will report if the bottlenecks are eliminated.

This is now my config:

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type checkgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=local" -D ldap -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=UserGroups,dc=DOMAIN,dc=local))" -h DOMAINCONTROLLER .
(snip)
.
acl Terminalserver src 10.4.1.51-10.4.1.75 acl AUTH proxy_auth REQUIRED acl InternetGroup external checkgroup internet .
(snip)
.
http_access deny !AUTH
http_access allow InternetGroup Terminalserver http_access deny Terminalserver .
(snip)
.

Thanks for help.

------------------------------------------------------------------------
Amos Jeffries wrote:

> The big issues you have are:
> * using NTLM. This seriously caps the proxy performance and capacity. Each new TCP connection (~30 per second from your graphs) requires at least two full HTTP > reqesut/reply round trips just to authenticate before the actual HTTP response can begin to be identified and fetched.
>
> * using group to base access permissions. Like NTLM this caps the capacity of your Squid.
>
> * using a URL helper. Whether that is a big drag or not depends on what you are using it for and whether Squid can do that faster by itself.
>
> These are your big performance bottlenecks. Eliminating any of them will speed up your proxy. BUT whether it is worth doing is up to you.
Received on Thu Feb 07 2013 - 10:22:39 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 12 2013 - 12:00:05 MST