Hi all,
We are looking to replace our proxy infrastructure
with squid, but I am concerned about the performance of squid using the
ntlm_auth samba handler (specifically using negotiate). We are almost
ready to do some Loadrunner stress tests, but I wanted to see if anyone
had some base statistics out there? I saw that squid uses
authenticate_ip_shortcircuit_ttl in 2.7. Has anyone used the IP caching
feature, and are there plans to
port it to the 3.x branch? (we are really after the ICAP functionallity)
I am currently investigating a way to push our AD user/group
listings into a flat file tree once a night, so squidGuard can do AD
group lookups locally. That should save authorization cycles, but the
samba authentication is what really worries me... I really wish
kerberos was prevelent enought that we could just force kerberos/Basic,
but that's the way it goes... I don't even know how we could load test
kerberos authentication...
Current deployment:
------------------------------------------------------
squid: 3.0.11
squidGuard: 1.4
samba: 3.2.7
server: RHAS 5.2 64bit (Sunfire 4100 8gigs of ram)
Current configs (squid is not yet optimized)
--------------------------------------------------------------------
http_port xx.xx.x.xxx:8080
tcp_outgoing_address xx.xx.x.xxx
#####################################################################
# AUTHENTICATION
#####################################################################
auth_param negotiate program
/dev/pkgs/linux/intel/squid/3.0.11/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
auth_param basic program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 6 hours
auth_param basic casesensitive off
#####################################################################
# ACL'S
#####################################################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl java browser Java/1.3 Java/1.4
acl ntlm_users proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access allow java
http_access allow ntlm_users
http_access deny all
#####################################################################
# DNS Settings
#####################################################################
dns_defnames on
dns_nameservers xx.xx.xx.xxx xx.xx.xx.xxx
#####################################################################
#
#####################################################################
hierarchy_stoplist cgi-bin ?
access_log /etrade/pkgs/linux/intel/squid/3.0.11/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /etrade/pkgs/linux/intel/squid/3.0.11/var/cache
#####################################################################
# Squid Guard
#####################################################################
redirect_program /dev/pkgs/linux/intel/squidGuard/1.4/bin/squidGuard
redirect_children 10
#####################################################################
# Kaspersky AV
#####################################################################
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
acl acl_kav_GET method GET
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET
SAMBA
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# global parameters
[global]
# ADS membership settings
workgroup = DEV
netbios name = PROXYDEV1
realm = DEV.COM
server string = proxydev1.dev.com
security = ADS
winbind trusted domains only = yes
#winbind cache time = 600 # tested samba auth
caching, doesn't work for ntlm_auth
#winbind offline logon = true #
allow trusted domains = no
use kerberos keytab = true
# IdMap settings
winbind use default domain = yes
idmap domains = DEV
idmap config DEV:backend = nss
idmap config DEV:readonly = yes
idmap config DEV:default = no
# security settings
encrypt passwords = yes
lm announce = no
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no
client schannel = yes
server schannel = yes
server signing = Auto
encrypt passwords = yes
lanman auth = no
ntlm auth = no
min protocol = NT1
max protocol = NT1
show add printer wizard = no
load printers = no
Thanks all!
