[squid-users] Squid very slow with kerberos auth and LDAP Group Search(AD)

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 9 02:04:48 UTC 2021 

On 9/11/21 01:19, heimarbeit123.99 at web.de wrote:
> Hello all,
> I finaly got a squid proxy with kerberos authentification and LDAP group 
> check to work! With a small amount of clients(1-10) everything works as 
> it should and the squid is fast(no noticeable waiting time for websites 
> to open). Users get authenticated, different AD groups can access the 
> internet with blacklists/whitelists/full access and so on..

> But as soon as I make the whole company(round about 80 clients) use the 
> new proxy, it begins to be very slow. And by very slow I mean like 1-2 
> minutes waiting time(response time in access.log is like 60000-270000 
> milliseconds for TCP_TUNNEL) until a website is fully loaded.

That could just mean the entire website was loaded through that one 
tunnel. Which is often the case if the clients are using HTTP/2 or HTTPS 
at version 1.1 through it.


> We got a 
> old squid proxy too, but without any authentication (just some dstdomain 
> in general) and it's working great. But the new one is very slow..
> Btw. some of our clients have ipv6, others ipv4(~90%)..There were no 
> errors in cache.log(activated it for some minutes with debug ALL for 
> error checking).

ALL at what level? "ALL,0" log barely anything on a working proxy, but 
will definitely complain about critical problems.



> Can anyone help?
> What I tried so far:
> dns_v4_first on at the very end/very beginning from squid.conf
> enable/disable (memory) caching
> use Google DNS instead of our own

That can be a recipe for slowness. Since the Google DNS service produces 
different responses to every request - even identical repeated ones.


> connect_timeout 3 seconds
> Nothing realy helped..
> Here is my squid.conf:
> ######### allowed port part ########################
> acl Allowed_port port 80          # http
> acl Allowed_port port 21          # ftp
> acl Allowed_port port 443         # https
> acl Allowed_port port 70          # gopher
> acl Allowed_port port 210         # wais
> acl Allowed_port port 1025-65535  # unregistered ports
> acl Allowed_port port 280         # http-mgmt
> acl Allowed_port port 488         # gss-http
> acl Allowed_port port 591         # filemaker
> acl Allowed_port port 777         # multiling http
> acl Allowed_port port 10000       # Proofpoint
> acl CONNECT method CONNECT
> http_access deny CONNECT !Allowed_port

Please no. The default security protections were created to cover a 
range of security risks commonly seen in Internet traffic.


# forbids touching protocols that can be confused with HTTP
http_access deny !Safe_ports

# prevent arbitrary exfiltration from malware in the network.
http_access deny CONNECT !SSL_ports


> ##################### cache/logs ########################
> cache_log /dev/null

Do set that to an actual file. You may find the thing causing your 
problems is detectable by Squid.



> logformat myformat %{%d.%m %H:%M:%S}tl %>a %Ss %ru %tr
> access_log /var/log/squid/access.log myformat


> cache deny all
> coredump_dir /dev/null

Core dumps are something you should probably disable at the system level 
instead if you don't want them. Writing all that can be quite time 
consuming, even to /dev/null.


> cache_dir null /dev/null

"null" cache type does not exist anymore. That is one thing your 
cache.log should be warning you about if you could see it.


> cache_store_log none

This is a default in all current Squid.


> ########## Debug ########################
> #debug_options ALL,1 33,2 28,9
> ######################### squid-port #######
> http_port 3128                              #proxy port
> authenticate_ttl 2 hours                    #auth timeout 
> squid->passwd_server

> acl black_regex url_regex "/etc/squid/regex_black.acl"

> acl white_regex url_regex "/etc/squid/regex_white.acl"
> acl license_regex url_regex "/etc/squid/regex_license_servers_no_auth.acl"
> ############################# allow License Managers ##########
> http_access allow license_regex all

The " all" at the end of this line is pointless. Authentication is not 
being performed by the regex ACL listed.


> ################### Kerberos ##################################
> auth_param negotiate program /lib/squid/negotiate_wrapper_auth -d --ntlm 
> /bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
> --domain=DOMAIN.TLD --kerberos /lib/squid/negotiate_kerberos_auth -d -s 
> HTTP/proxy.domain.tld at DOMAIN.TLD
> auth_param negotiate children 200

You should not need 200 helpers for 80 users with Kerberos operational.


> auth_param negotiate keep_alive on
> ########################## Allow based on group membership ######
> # Authentication required, otherwise Pop-Up
> acl Authenticated_Users proxy_auth REQUIRED
> http_access deny !Authenticated_Users all

FYI: the " all" ACL check at the end of this line forbids Squid sending 
the 40x challenge which triggers popups. Users will be getting full 
rejection 403 instead if they match this line.


> # Define external acl for group check
> external_acl_type ldap_group ipv4 ttl=300 negative_ttl=120 
> children-max=200 %LOGIN /lib/squid/ext_ldap_group_acl -K -S -R \
> -b "ou=Users,DC=domain,DC=tld" \
> -D "ProxyUser at DOMAIN.TLD" \
> -W /etc/squid/authfile \
> -f 
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=domain,DC=tl))" 
> \
> -h 192.0.1.1

> acl Users_Internet_Users external ldap_group Users
> http_access allow Users_Internet_Users !black_regex

The above performs the slowest ACL test first. It can be optimized as:
   http_access allow !black_regex Users_Internet_Users all


> http_access deny all
> dns_v4_first on
> connect_timeout 3 seconds


Amos

More information about the squid-users mailing list