[squid-users] squid 3.1 ldap authentication

Eliezer Croitoru eliezer at ngtech.co.il
Sun Jan 31 01:21:11 UTC 2016


Just to update the thread.

A basic CLI test showed it's not an issue related to anything in the 
LDAP helpers or settings.
The issue was IPV6 network level issue, there was a default gateway but 
for some unknown reason there was no IPV6 connectivity.
The test host could be any host with both IPV6 and IPV4 dns records that 
has at-least one IPV6 record. Due to request_start_timeout default of 5 
minutes the site took about 5 minutes to show up after the IPV6 try was 
timed out.
The basic way to test it is running a simple script on the host machine 
that will test IPV6 connectivity. The right way to do that should be 
using a basic IPV6 ping like this script:
- http://paste.ngtech.co.il/pxizenek2
- http://ngtech.co.il/squid/ipv6_test.sh

But since it is known that opening the whole IPV6 ICMP protocol in 
FireWalls opens network vulnerabilities it is commonly disabled(while it 
be opened properly) and there for makes it's an issue to test IPV6 
connectivity based only on ICMP.

Example ip6tables ICMPv6 rules that will allow a router to pass a basic 
ping6 test:
ip6tables -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j 
ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j DROP

Later I will upgrade the script to test tcp\http level connectivity so 
it will be more useful as a debugging tool.

* http://www.squid-cache.org/Doc/config/request_start_timeout/
* https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
* https://www.sixxs.net/wiki/IPv6_Firewalling

On 29/01/2016 03:50, Nando Mendonca wrote:
> Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions?
>
> Thanks,
> Nando
>
>> On Jan 25, 2016, at 10:07 AM, Anders Gustafsson <Anders.Gustafsson at pedago.fi> wrote:
>>
>> Do a packet trace on the LDAP connection. I bet the delay happens there. Also: I suspect that it might do the same LDAP lookup for EVERY HTTP session of which there might be thousands for a complex page.
>>
>>
>>>>> nando mendonca <nandomendonca007 at gmail.com> 2016-01-25 17:52 >>>
>> I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
>> browse the internet from clients it takes up to 10 minutes for the website
>> to load. Can you please assist me in troubleshooting what the issue is?
>> Below is my squid.conf file.
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



More information about the squid-users mailing list