Hi Amos,
finally i've configured Kerberos auth and ldap group check. In a few weeks I will report if the bottlenecks are eliminated.
This is now my config:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type checkgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=local" -D ldap -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=UserGroups,dc=DOMAIN,dc=local))" -h DOMAINCONTROLLER
.
(snip)
.
acl Terminalserver src 10.4.1.51-10.4.1.75
acl AUTH proxy_auth REQUIRED
acl InternetGroup external checkgroup internet
.
(snip)
.
http_access deny !AUTH
http_access allow InternetGroup Terminalserver
http_access deny Terminalserver
.
(snip)
.
Thanks for help.
------------------------------------------------------------------------
Amos Jeffries wrote:
> The big issues you have are:
> * using NTLM. This seriously caps the proxy performance and capacity. Each new TCP connection (~30 per second from your graphs) requires at least two full HTTP > reqesut/reply round trips just to authenticate before the actual HTTP response can begin to be identified and fetched.
>
> * using group to base access permissions. Like NTLM this caps the capacity of your Squid.
>
> * using a URL helper. Whether that is a big drag or not depends on what you are using it for and whether Squid can do that faster by itself.
>
> These are your big performance bottlenecks. Eliminating any of them will speed up your proxy. BUT whether it is worth doing is up to you.
Received on Sat Feb 02 2013 - 10:03:20 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 07 2013 - 12:00:03 MST