Proxy server: Squid + dansguardian (slow when use NTLM)

Francisco José Márquez Gómez fjmarquez.ext at chguadalquivir.es
Thu Mar 24 08:40:34 UTC 2011 

El 23/03/2011 15:04, Stainforth, Matthew (SD/DS) escribió:
>> We are using the same versions as above.  I use /usr/bin/ntlm_auth 
>> that is provided by the samba3x-winbind package rather than 
>> /usr/lib64/squid/ntlm_auth provided by the squid package.
>>
>> Matt

I've seeing my access.log and I've noticed that for each http petition, 
squid register 2 tcp_denied:

1300954766.574      4 10.31.32.85 TCP_DENIED/407 1765 GET 
http://www.test.com/testSimple? - NONE/- text/html
1300954766.588      6 10.31.32.85 TCP_DENIED/407 1939 GET 
http://www.test.com/testSimple? - NONE/- text/html
1300954768.996   2408 10.31.32.85 TCP_MISS/200 6410 GET 
http://www.test.com/testSimple? lusername DIRECT/91.216.63.240 
application/x-javascript

But I've read that this is a normal behavior due to NTLM design... so I 
discard this as cause of my problem.

Now, with an standard installation of RHEL5.6 + squid + samba3x and only 
setup the necessary for enable NTLM auth (I'm not using dansguardian 
yet), a client needs:

http://www.google.com: 5-7 seconds
http://www.marca.com: 25-30 seconds.

(and with many TCP_HIT/200, so squid is using cached content)

If I use basic auth, the load is almost instantaneous


I only have added this to my squid.conf:
------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on

acl mylan src 192.168.1.0/24

acl ntlm proxy_auth REQUIRED
http_access allow mylan ntlm

And before, I used this command for setup samba and winbind:
--------------------------------------------------------------------------------------

authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=dc.domain \
--krb5realm=domain --smbservers=dc.domain --smbworkgroup=domain \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=domain \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" 
--winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain 
--disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache 
--enablelocauthorize --updateall


Any idea?

Regards,
F.J

More information about the redhat-list mailing list