Re: [squid-users] access.log equivalent for server side

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 20 Apr 2005 17:23:27 +0200 (CEST)

On Wed, 20 Apr 2005, Thien Vu wrote:

> A portion are external_acl_type for ldap lookups for user groups.

Ok.

> The
> ldap queries themselves are fairly quick, around 200 milliseconds for
> the initial lookup but then it should hit the authentication cache
> from then on.

Correct. Provided all the active entries fit in the cache.

> The rest are url_regex which involve urls or ports (for the CONNECT)
> later defined in the http_access rules. So essentially we have a
> population of users and we want to restrict what they can access
> depending on what group they're in. Group membership is determined by
> ldap lookups.

Why url_regex?

For CONNECT there is exacly zero reasons to use url_regex.

In terms of CPU usage url_regex is several orders of magnitude heavier
than the other acl types.

> Never any problems with CPU usage, these are like dual p3 1.3 Ghz, so
> it's more than enough muscle.

Squid only runs on one CPU. What means that 50% CPU usage reported on your
system is 100% CPU usage by Squid..

>> What authentication method scheme is used?
>
> For the basic authentication, squid_ldap_auth. For external_acl_type,
> squid_ldap_group. We were having issues with too few helpers for the
> external_acl_type but that problem has been fixed by increasing
> children= to a reasonable number.

Ok. Basic is fine. Only wanted to verify that you were not using NTLM as
this adds considerable latency due to the large number of roundtrips to
the proxy required to finish the authentication.

Regards
Henrik
Received on Wed Apr 20 2005 - 09:23:29 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT