[squid-users] Problem with Squid 3.4.4 and NTLM authentication
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 6 00:07:48 UTC 2016
On 6/01/2016 5:26 a.m., Job wrote:
> Hello,
>
> sinec i upgraded two Squid proxy servers to the Squid-3.4.4 versions, we have some huges bottleneck with ahtenticated ntlm (old style!) users.
> If i disable authentication and enable per-ip surf, it works fine.
>From what earlier version?
>
> Plesae note that squid process raise up to 100%.
>
> Here is my auth ntlm configuration:
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
Try with "auth_param ntlm keep_alive off"
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 200
> auth_param basic credentialsttl 2 hours
>
> Perhaps have i to change something?
3.4.4 is very outdated version of Squid. Current release is 3.5.12 or
3.4.14.
NTLM requires that Squid disable all HTTP performance optimizations.
Without TCP connection persistence it will re-authenticate for every
single request, resulting in more than doubling the bandwidth load and
reducing the proxy to under 500 RPS. Even with persistence these limits
are only raised a little.
It is also very insecure, more so than Basic auth in the modern
environment.
Amos
More information about the squid-users
mailing list