[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Squid very slow with kerberos auth and LDAP Group Search(AD)
From: heimarbeit123.99 () web ! de
Date: 2021-11-09 12:22:12
Message-ID: trinity-583c9221-d3d4-495c-b219-26cb94ba257f-1636460532537 () 3c-app-webde-bap34
[Download RAW message or body]
[Attachment #2 (text/html)]
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>At first thank you for your tips about the config!</div>
<div>So I figured out, that everything was not kerberos-authenticated, but \
ntlm-authenticated, so I had to adjust my config a bit, because I've heard in \
another thread here, that actually using kerberos is a lot faster than NTLM.</div>
<div> </div>
<div>Old part:</div>
<div>> auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d \
--ntlm<br/> > /bin/ntlm_auth --diagnostics \
--helper-protocol=squid-2.5-ntlmssp<br/> > --domain=DOMAIN.TLD --kerberos \
/lib/squid/negotiate_kerberos_auth -d -s<br/> > \
HTTP/proxy.domain.tld@DOMAIN.TLD<br/> > auth_param negotiate children 200</div>
<div> </div>
<div>New part:</div>
<div> auth_param negotiate program /lib/Squid/negotiate_kerberos_auth -d -s \
HTTP/proxy.domain.tld@DOMAIN.TLD -k /etc/squid/krb5.keytab<br/> auth_param \
negotiate children 100 startup=10 idle=3<br/> auth_param negotiate keep_alive \
on</div>
<div> </div>
<div>But then I got warnings about NTLM 1 tokens in my cache.log and authentication \
didn't work at all. After a bit of research I figured out not to write the IP \
from the proxy, but the FQDN from the proxy inside the client proxy settings. That \
makes sense, because in Microsoft Outlook using Kerberos you have to do that too. It \
does not work with IPs, only with FQDN. So I guess it is a kerberos \
"issue".</div>
<div> </div>
<div> </div>
<div>So everything works as it should and squid is a lot faster(could not test yet if \
fast enough) because of that kerberos auth. But now I got another problem: <strong>My \
access.log does not get filled! :(</strong></div>
<div>I did:</div>
<div>chmod 644 /var/log/squid/access.log</div>
<div>chown squid:squid /var/log/squid/access.log</div>
<div> </div>
<div>but nothing helped and there are no errors inside the cache.log, even with \
"debug ALL", so I guess it's not a permission problem. With the old \
NTLM auth and the IP from the squid proxy inside the client proxy settings the \
access.log gets filled up. But as soon as I switch to my new kerberos auth and the \
proxy-FQDN inside the client(windows) proxy settings, access.log will not get written \
anymore.</div>
<div><strong>Can anyone help?</strong></div>
<div> </div>
<div>My current squid.conf(thanks again to Amos Jeffries!):</div>
<div> </div>
<div>
<div> ######### allowed port part ########################<br/>
acl SSL_ports port 443<br/>
acl Safe_ports port 80 # \
http<br/> acl Safe_ports port \
21 # ftp<br/> acl Safe_ports \
port 443 # https<br/> acl Safe_ports \
port 70 # gopher<br/> acl \
Safe_ports port 210 # wais<br/> acl \
Safe_ports port 1025-65535 # unregistered ports<br/> acl Safe_ports port \
280 # http-mgmt<br/> acl Safe_ports \
port 488 # gss-http<br/> acl \
Safe_ports port 591 # filemaker<br/> \
acl Safe_ports port 777 # multiling \
http<br/> acl CONNECT method CONNECT<br/>
http_access deny !Safe_ports<br/>
http_access deny CONNECT !SSL_ports</div>
<div><br/>
##################### cache/logs ########################<br/>
cache_log /var/log/squid/cache.log</div>
<div> logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr<br/>
access_log /var/log/squid/access.log myformat</div>
<div> cache deny all<br/>
coredump_dir /dev/null</div>
<div> cache_dir aufs /var/spool/squid 100 16 256</div>
<div> </div>
<div> ########## Debug ########################<br/>
#debug_options ALL,1 33,2 28,9</div>
<div> </div>
<div> ######################### squid-port #######<br/>
http_port 3128 \
\
#proxy port<br/> authenticate_ttl 2 \
hours \
#auth timeout</div>
<div> acl black_regex url_regex "/etc/squid/regex_black.acl"<br/>
acl white_regex url_regex "/etc/squid/regex_white.acl"<br/>
acl license_regex url_regex \
"/etc/squid/regex_license_servers_no_auth.acl"</div>
<div> </div>
<div> ############################# allow License Managers ##########<br/>
http_access allow license_regex</div>
<div> </div>
<div> ################### Kerberos ##################################<br/>
auth_param negotiate program /lib/Squid/negotiate_kerberos_auth -d -s \
HTTP/proxy.domain.tld@DOMAIN.TLD -k /etc/squid/krb5.keytab<br/> auth_param \
negotiate children 100 startup=10 idle=3<br/> auth_param negotiate keep_alive \
on</div>
<div><br/>
########################## Allow based on group membership ######<br/>
# Authentication required, otherwise Pop-Up<br/>
acl Authenticated_Users proxy_auth REQUIRED<br/>
http_access deny !Authenticated_Users</div>
<div> </div>
<div> # Define external acl for group check<br/>
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120<br/>
children-max=100 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \<br/>
-b "ou=Users,DC=domain,DC=tld" \<br/>
-D "ProxyUser@DOMAIN.TLD" \<br/>
-W /etc/squid/authfile \<br/>
-f<br/>
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))"<br/>
\<br/>
-h 192.0.1.1</div>
<div> </div>
<div> acl Users_Internet_Users external ldap_group Users<br/>
http_access allow !black_regex Users_Internet_Users all</div>
<div> http_access deny all<br/>
</div>
<div> dns_v4_first on<br/>
connect_timeout 3 seconds</div>
<div> </div>
<div> </div>
<div><strong>Regards</strong></div>
<div> </div>
</div>
</div>
<div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; \
border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;"> <div style="margin:0 0 10px \
0;"><b>Gesendet:</b> Dienstag, 09. November 2021 um 08:38 Uhr<br/> \
<b>Von:</b> heimarbeit123.99@web.de<br/> \
<b>An:</b> heimarbeit123.99@web.de<br/> <b>Betreff:</b> Aw: [squid-users] \
Squid very slow with kerberos auth and LDAP Group Search(AD)</div>
<div name="quoted-content">
<div style="font-family: Verdana;font-size: 12.0px;">
<div> </div>
<div>
<div>Edit:</div>
<div>I also tried with kerberos auth only.</div>
<div> </div>
<div>auth_param negotiate program /lib/squid/negotiate_kerberos_auth -d -s \
HTTP/proxy.domain.tld@DOMAIN.TLD</div>
<div> </div>
<div>but then I can not authenticate anyone, because cache.log says "Warning: \
Received NTLM 1 Token". That's why I did with ntlm_auth, even though I read, \
that ntlm is way slower than kerberos. That could cause these waiting times too with \
60+ clients but I don't quite know how to handle this..</div>
<div> </div>
<div>Maybe someone can help.</div>
<div> </div>
<div>Regards</div>
<div>
<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px \
10.0px;border-left: 2.0px solid rgb(195,217,229);"> <div style="margin: 0 0 10.0px \
0;"><b>Gesendet:</b> Montag, 08. November 2021 um 13:19 Uhr<br/> \
<b>Von:</b> heimarbeit123.99@web.de<br/> \
<b>An:</b> squid-users@lists.squid-cache.org<br/> \
<b>Betreff:</b> [squid-users] Squid very slow with kerberos auth and LDAP Group \
Search(AD)</div>
<div>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>Hello all,</div>
<div> </div>
<div>I finaly got a squid proxy with kerberos authentification and LDAP group check \
to work! With a small amount of clients(1-10) everything works as it should and the \
squid is fast(no noticeable waiting time for websites to open). Users get \
authenticated, different AD groups can access the internet with \
blacklists/whitelists/full access and so on..</div>
<div> </div>
<div>But as soon as I make the whole company(round about 80 clients) use the new \
proxy, it begins to be very slow. And by very slow I mean like 1-2 minutes waiting \
time(response time in access.log is like 60000-270000 milliseconds for TCP_TUNNEL) \
until a website is fully loaded. We got a old squid proxy too, but without any \
authentication (just some dstdomain in general) and it's working great. But the \
new one is very slow..</div>
<div> </div>
<div>Btw. some of our clients have ipv6, others ipv4(~90%)..There were no errors in \
cache.log(activated it for some minutes with debug ALL for error checking).</div>
<div> </div>
<div> </div>
<div>Can anyone help?</div>
<div> </div>
<div> </div>
<div>What I tried so far:</div>
<div>dns_v4_first on at the very end/very beginning from squid.conf</div>
<div>enable/disable (memory) caching</div>
<div>use Google DNS instead of our own</div>
<div>connect_timeout 3 seconds</div>
<div> </div>
<div>Nothing realy helped..</div>
<div> </div>
<div>Here is my squid.conf:</div>
<div> </div>
<div>
<div>######### allowed port part ########################<br/>
acl Allowed_port port 80 # \
http<br/> acl Allowed_port port \
21 # ftp<br/> acl Allowed_port \
port 443 # https<br/> acl \
Allowed_port port 70 # \
gopher<br/> acl Allowed_port port 210 \
# wais<br/> acl Allowed_port port 1025-65535 # unregistered ports<br/>
acl Allowed_port port 280 # \
http-mgmt<br/> acl Allowed_port port \
488 # gss-http<br/> acl Allowed_port \
port 591 # filemaker<br/> acl \
Allowed_port port 777 # multiling \
http<br/> acl Allowed_port port 10000 # \
Proofpoint<br/> acl CONNECT method CONNECT<br/>
http_access deny CONNECT !Allowed_port</div>
<div> </div>
<div>##################### cache/logs ########################<br/>
cache_log /dev/null<br/>
#logfile_rotate 0<br/>
logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr<br/>
access_log /var/log/squid/access.log myformat<br/>
#cache_dir aufs /var/spool/squid 16384 32 512<br/>
#cache_mem 8 MB<br/>
#maximum_object_size_in_memory 64 KB<br/>
#maximum_object_size 4 MB<br/>
#coredump_dir /var/spool/squid</div>
<div>cache deny all<br/>
coredump_dir /dev/null<br/>
cache_dir null /dev/null<br/>
cache_store_log none</div>
<div> </div>
<div>########## Debug ########################<br/>
#debug_options ALL,1 33,2 28,9</div>
<div> </div>
<div>######################### squid-port #######<br/>
http_port 3128 \
\
#proxy port</div>
<div>authenticate_ttl 2 \
hours \
#auth timeout squid->passwd_server</div>
<div>#acl localhost src 192.168.2.2 \
\
#proxy IP<br/> #follow_x_forwarded_for allow localhost \
#trust localhost</div>
<div>#general allow everything<br/>
#acl whole_company src 192.0.0.0-192.255.255.254<br/>
#http_access allow whole_company</div>
<div> </div>
<div>############### url_regex ####<br/>
acl black_regex url_regex "/etc/squid/regex_black.acl"<br/>
#http_access allow white_regexp<br/>
acl white_regex url_regex "/etc/squid/regex_white.acl"<br/>
acl license_regex url_regex \
"/etc/squid/regex_license_servers_no_auth.acl"</div>
<div> </div>
<div>############################# allow License Managers ##########<br/>
http_access allow license_regex all</div>
<div> </div>
<div>################### Kerberos ##################################<br/>
auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm \
/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.TLD \
--kerberos /lib/squid/negotiate_kerberos_auth -d -s \
HTTP/proxy.domain.tld@DOMAIN.TLD<br/> auth_param negotiate children 200<br/>
auth_param negotiate keep_alive on</div>
<div> </div>
<div>########################## Allow based on group membership ######<br/>
# Authentication required, otherwise Pop-Up<br/>
acl Authenticated_Users proxy_auth REQUIRED<br/>
http_access deny !Authenticated_Users all</div>
<div> </div>
<div># Define external acl for group check<br/>
external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 children-max=200 %LOGIN \
/lib/squid/ext_ldap_group_acl -K -S -R \<br/>
-b "ou=Users,DC=domain,DC=tld" \<br/>
-D "ProxyUser@DOMAIN.TLD" \<br/>
-W /etc/squid/authfile \<br/>
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" \
\<br/>
-h 192.0.1.1</div>
<div> </div>
<div>## check whitelist group<br/>
#acl whitelist_Internet_Users external ldap_group whitelist<br/>
#http_access allow whitelist_Internet_Users white_regex</div>
<div> </div>
<div>## check blacklist group<br/>
#acl blacklist_Internet_Users external ldap_group blacklist<br/>
#http_access allow blacklist_Internet_Users !black_regex</div>
<div> </div>
<div>## check full_access group<br/>
#acl full_access_Internet_Users external ldap_group full_access<br/>
#http_access allow full_access_Internet_Users all</div>
<div> </div>
<div>## check Users group<br/>
acl Users_Internet_Users external ldap_group Users<br/>
http_access allow Users_Internet_Users !black_regex</div>
<div> </div>
<div>http_access deny all</div>
<div>dns_v4_first on<br/>
connect_timeout 3 seconds</div>
<div> </div>
<div> </div>
<div>Regards!</div>
</div>
</div>
_______________________________________________ squid-users mailing list \
squid-users@lists.squid-cache.org <a \
href="http://lists.squid-cache.org/listinfo/squid-users" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></div> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div></body></html>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic