[squid-users] SSL Slow when authenticating

From: Ian <barnracoon@dont-contact.us>
Date: Mon, 8 Oct 2007 19:16:18 +0200

Hi,

I am running a cache cluster and on the controller its running NTLM
authentication. The problem comes in when the user/me loads any SSL
site, it takes ages before it starts loading. Once its loaded if you
refresh/use it it goes quickly, just that initial load that takes very
long to load. I have another cluster running at another location
within this same company and it does not have the same symptoms at all
so its not the upstream IWSS servers that are causing this. The only
difference between the two is the squid version.

The new one with the problem is running:
[root@S058] /var/log/squid # squid -v
Squid Cache: Version 2.6.STABLE12
configure options: '--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid'
'--enable-removal-policies=lru heap' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm
digest' '--enable-basic-auth-helpers=NCSA PAM MSNT SMB LDAP YP'
'--enable-digest-auth-helpers=password ldap'
'--enable-external-acl-helpers=ip_user session unix_group wbinfo_group
ldap_group' '--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs
diskd null' '--enable-snmp' '--disable-carp' '--enable-ssl'
'--with-openssl=/usr/local' '--enable-useragent-log'
'--enable-follow-x-forwarded-for' '--enable-icap-support'
'--enable-ipf-transparent' '--enable-kqueue'
'--enable-err-languages=Azerbaijani Bulgarian Catalan Czech Danish
Dutch English Estonian Finnish French German Greek Hebrew Hungarian
Italian Japanese Korean Lithuanian Polish Portuguese Romanian
Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish
Swedish Traditional_Chinese Turkish'
'--enable-default-err-language=English' '--prefix=/usr/local'
'i386-portbld-freebsd4.11' 'build_alias=i386-portbld-freebsd4.11'
'host_alias=i386-portbld-freebsd4.11'
'target_alias=i386-portbld-freebsd4.11'

My squid.conf looks like this:
half_closed_clients off
#tcp_outgoing_address
append_domain .domain.com
auth_param ntlm program ntlm_auth.sh ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive on
auth_param basic program ntlm_auth.sh basic
auth_param basic children 20
auth_param basic realm S058.domain.com Cache NTLM Authentication
auth_param basic credentialsttl 2 hours
http_port 3128 transparent
icp_port 3130
#htcp_port 0
cache_mem 512 MB
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 5443 4443
acl Safe_ports port 21 70 80 81 90 91 210 443 488 591 777 1025-65535
acl CONNECT method CONNECT
acl NOAUTHIP dst "noauthip.list"
acl NOAUTHDOM dstdomain "noauthdom.list"
acl NTLM proxy_auth REQUIRED
acl ADIRDOM dstdomain "adirdom.list"
always_direct allow ADIRDOM
acl ADIRIP dst "adirip.list"
always_direct allow ADIRIP
acl NOCACHE dstdomain "nocache.list"
no_cache deny NOCACHE
always_direct deny all
never_direct allow all
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_swap_low 90
cache_swap_high 96
maximum_object_size 32768 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 128 KB
ipcache_size 10240
ipcache_low 90
ipcache_high 95
fqdncache_size 10240
log_fqdn off
memory_pools off
cache_replacement_policy heap GDSF
#memory_replacement_policy heap LFUDA
memory_replacement_policy lru
#cache_replacement_policy lru
cache_dir null /null
log_mime_hdrs on
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %>st
cache_access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /usr/local/squid/logs/squid.pid
store_dir_select_algorithm round-robin
debug_options ALL,1
ftp_user opteq@
ftp_passive on
dns_timeout 50 seconds
quick_abort_min 10 kb
quick_abort_pct 50%
quick_abort_max 1024 kb
negative_ttl 2 minute
range_offset_limit 0 KB
connect_timeout 10 second
cache_peer 1.1.5.2 parent 3128 3130 proxy-only login=*:pass
cache_peer 1.1.5.3 parent 3128 3130 proxy-only login=*:pass
cache_peer 1.1.5.4 parent 3128 3130 proxy-only login=*:pass
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow NOAUTHIP
http_access allow NOAUTHDOM
http_access allow NTLM
http_access deny all
# And finally deny all other access to this proxy
icp_access allow all
cache_mgr support@domain.com
cache_effective_user nobody
cache_effective_group nobody
visible_hostname S058.domain.com
#dns_testnames netscape.com internic.net nlanr.net microsoft.com
dns_testnames localhost
forwarded_for on
ie_refresh on
acl localSnmp snmp_community public
acl SNMPIP0 src 10.6.14.25/32
acl SNMP0 snmp_community cms
snmp_port 3401
snmp_access allow localSnmp localhost
snmp_access allow SNMP0 SNMPIP0
snmp_access deny all
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255
peer_connect_timeout 30 seconds
dead_peer_timeout 30 seconds
httpd_suppress_version_string = on

Now my ntlm_auth.sh looks like this:
[root@S058] # cat ntlm_auth.sh
#!/bin/sh
W="$1"
/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-$W
--require-membership-of='DOMAIN\Group'

I have narrowed it down more by not using the cache peers in the
squid.conf and rather pointed them directly at the IWSS servers and
still get the same results, so the cache_peers are not causing any
problems here it seems. I have looked in messages, cache.log and dont
see any error messages. Also a "net ads testjoin" works fine, and even
normal sites that require authentication load fairly quickly, so
authentication is working fine.

Any ideas? Im stumped.

Thanks in advance,
Ian
Received on Mon Oct 08 2007 - 11:16:22 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT