AW: [squid-users] AW: any chance to optimize squid3?

Hello again,

i found out, that this delay comes from squid_ldap_group and not from squid_kerb_auth.
I thought it would be faster when I'm using Kerberos auth and ldap groupcheck:

auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
external_acl_type checkgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=local" -D ldap -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=User_Gruppen,dc=DOMAIN,dc=local))" -h DOMAINCONTROLLER

instead of my old config:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=0 idle=1
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 28800 seconds
external_acl_type nt_group ttl=5 children=5 %LOGIN /usr/lib/squid3/wbinfo_group.pl

What can I do? What's the best way to authorize an specific ldap group?

Thanks for help.

--
 Marcel
-----Ursprüngliche Nachricht-----
Von: Fuhrmann, Marcel [mailto:Marcel.Fuhrmann_at_lux.ag] 
Gesendet: Donnerstag, 7. Februar 2013 11:22
An: squid-users_at_squid-cache.org
Betreff: AW: [squid-users] AW: any chance to optimize squid3?
Hello,
at the moment some users are using my new proxy (with kerberos auth instead of NTLM). There is just one unlikely thing yet. First time browser starts (start page google) it takes several seconds till google page is loaded. When I continue browsing to another page, this delay isn't noticeable.  I suspect It has to do with the initial authentication. Is this normal or can I adjust some config?
This is my config for Kerberos:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on
Thanks for helping me.
-----Ursprüngliche Nachricht-----
Von: Fuhrmann, Marcel [mailto:Marcel.Fuhrmann_at_lux.ag]
Gesendet: Samstag, 2. Februar 2013 11:04
An: squid-users_at_squid-cache.org
Betreff: AW: [squid-users] AW: any chance to optimize squid3?
Hi Amos,
finally i've configured Kerberos auth and ldap group check. In a few weeks I will report if the bottlenecks are eliminated. 
This is now my config:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type checkgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=local" -D ldap -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=UserGroups,dc=DOMAIN,dc=local))" -h DOMAINCONTROLLER .
(snip)
.
acl Terminalserver src 10.4.1.51-10.4.1.75 acl AUTH proxy_auth REQUIRED acl InternetGroup external checkgroup internet .
(snip)
.
http_access deny !AUTH
http_access allow InternetGroup Terminalserver http_access deny Terminalserver .
(snip)
.
Thanks for help.
------------------------------------------------------------------------
Amos Jeffries wrote:
> The big issues you have are:
> * using NTLM. This seriously caps the proxy performance and capacity. Each new TCP connection (~30 per second from your graphs) requires at least two full HTTP > reqesut/reply round trips just to authenticate before the actual HTTP response can begin to be identified and fetched. 
>
> * using group to base access permissions. Like NTLM this caps the capacity of your Squid. 
> 
> * using a URL helper. Whether that is a big drag or not depends on what you are using it for and whether Squid can do that faster by itself. 
> 
> These are your big performance bottlenecks. Eliminating any of them will speed up your proxy. BUT whether it is worth doing is up to you.