Re: [squid-users] NTLM negotiate + IP authentication caching for heavily used squid deployments...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 03 May 2009 18:47:29 +1200

jason lawrence wrote:
> Hi all,
>
> We are looking to replace our proxy infrastructure
> with squid, but I am concerned about the performance of squid using the
> ntlm_auth samba handler (specifically using negotiate). We are almost
> ready to do some Loadrunner stress tests, but I wanted to see if anyone
> had some base statistics out there?

The ntlm helpers have issues with concurrency, so the number needed
scales up badly with higher loads. Though with auth_param credentialsttl
settings it can be raised somewhat.

> I saw that squid uses authenticate_ip_shortcircuit_ttl in 2.7. Has anyone used the IP caching feature, and are there plans to
> port it to the 3.x branch? (we are really after the ICAP functionallity)

All the missing functionality that is in 2.7 is planned for porting.
When is a matter of sponsorship and developer time since we are mostly
volunteers working on it.

>
> I am currently investigating a way to push our AD user/group
> listings into a flat file tree once a night, so squidGuard can do AD
> group lookups locally. That should save authorization cycles, but the
> samba authentication is what really worries me... I really wish
> kerberos was prevelent enought that we could just force kerberos/Basic,
> but that's the way it goes... I don't even know how we could load test
> kerberos authentication...

I see for your config below you have negotiate, ntlm, basic. That will
enable kerberos to be used where possible.

FWIW: there is one business recently posted looking for ways to use the
browser ACL and redirect people at an 'you need to upgrade' page when
they had issues with older browsers. :)

You might find that a solution to push the migration faster.

>
> Current deployment:
> ------------------------------------------------------
>
> squid: 3.0.11

Please use at least 3.0.STABLE13
http://www.squid-cache.org/Advisories/SQUID-2009_1.txt

There is a squid_kerb_auth buffer overrun issue solved in the kerb_auth
helper from stable14 you may want as well.

> squidGuard: 1.4
> samba: 3.2.7
> server: RHAS 5.2 64bit (Sunfire 4100 8gigs of ram)
>
>
> Current configs (squid is not yet optimized)
> --------------------------------------------------------------------
> http_port xx.xx.x.xxx:8080
> tcp_outgoing_address xx.xx.x.xxx
>
> #####################################################################
> # AUTHENTICATION
> #####################################################################
>
> auth_param negotiate program /dev/pkgs/linux/intel/squid/3.0.11/libexec/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> auth_param ntlm program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive on
>
> auth_param basic program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 6 hours
> auth_param basic casesensitive off
>
> #####################################################################
> # ACL'S
> #####################################################################
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl CONNECT method CONNECT
> acl java browser Java/1.3 Java/1.4
> acl ntlm_users proxy_auth REQUIRED
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow java
> http_access allow ntlm_users
> http_access deny all
>
> #####################################################################
> # DNS Settings
> #####################################################################
>
> dns_defnames on
> dns_nameservers xx.xx.xx.xxx xx.xx.xx.xxx
>
> #####################################################################
> #
> #####################################################################
>
> hierarchy_stoplist cgi-bin ?
> access_log /etrade/pkgs/linux/intel/squid/3.0.11/var/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /etrade/pkgs/linux/intel/squid/3.0.11/var/cache
>
> #####################################################################
> # Squid Guard
> #####################################################################
>
> redirect_program /dev/pkgs/linux/intel/squidGuard/1.4/bin/squidGuard
> redirect_children 10
>
> #####################################################################
> # Kaspersky AV
> #####################################################################
>
> icap_enable on
> icap_send_client_ip on
> icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
> icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
> acl acl_kav_GET method GET
> icap_class ic_kav_req is_kav_req
> icap_class ic_kav_resp is_kav_resp
> icap_access ic_kav_resp allow all
> icap_access ic_kav_req allow all !acl_kav_GET
>
>
>
>
> SAMBA
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> # global parameters
> [global]
> # ADS membership settings
> workgroup = DEV
> netbios name = PROXYDEV1
> realm = DEV.COM
> server string = proxydev1.dev.com
> security = ADS
> winbind trusted domains only = yes
> #winbind cache time = 600 # tested samba auth caching, doesn't work for ntlm_auth
> #winbind offline logon = true #
> allow trusted domains = no
> use kerberos keytab = true
>
> # IdMap settings
> winbind use default domain = yes
> idmap domains = DEV
> idmap config DEV:backend = nss
> idmap config DEV:readonly = yes
> idmap config DEV:default = no
>
> # security settings
> encrypt passwords = yes
> lm announce = no
> client lanman auth = no
> client ntlmv2 auth = yes
> client plaintext auth = no
> client schannel = yes
> server schannel = yes
> server signing = Auto
> encrypt passwords = yes
> lanman auth = no
> ntlm auth = no
> min protocol = NT1
> max protocol = NT1
> show add printer wizard = no
> load printers = no
>
>
> Thanks all!
>
>
>
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Sun May 03 2009 - 06:47:34 MDT

This archive was generated by hypermail 2.2.0 : Sun May 03 2009 - 12:00:01 MDT