On 9/04/2014 5:16 p.m., Waldemar Brodkorb wrote:
> Hi,
> Amos Jeffries wrote,
>
>>> What do you think? What might be a solution to this problem? I can't
>>> restart squid when changing the ACL rules, because then all users in
>>> the network would be disconnected.
>>
>> You could set the request_timeout to be short. This would make the
>> CONNECT requests terminate after a few minutes.
>
> Will try that.
>
>> You could also use SSL-bump feature in Squid. This has a double benefit
>> of allowing the control software acting on the HTTPS requests and
>> preventing SPDY etc. being used by the browser.
>
> This is not wanted by my boss. Probably because of ethical reasons.
> If a user uses https, he normally believes his traffic is secure and
> we want that this is the case.
>
Fair enough.
> Going back to the initial problem, slow NTLM authentications with
> newer browsers. Would it be worth to switch completely to Negotiate?
Yes. NTLM was deprecated officially by MS about 8 years ago and
Negotiate/Kerberos is supported by a wider range of modern software.
> Or is it possible to cache the NTLM authentication results, so that
> Squid does not need to fork a ntlm auth helper on every request?
NTLM (and Negotiate) credentials are pinned to the connection state for
as long as the connection they are valid for exists. As the credentials
token is connection-specific there is no additional caching and re-use
possible beyond that.
The helpers should not be forking on every request. They should be
forked on startup and later only if there are insufficient already
running. Once forked each helper should service traffic indefinitely.
You can minimize NTLM costs:
* by enabling persistent connections on both client and server sides of
Squid and as widely on other software as possible,
* by encouraging HTTP/1.1 with chunked encoding be used as much as
possible instead of HTTP/1.0 connection:close by other software in the
network,
* by adding Negotiate/Kerberos alongside NTLM.
There will still be significant churn for NTLM, but every bit helps.
Amos
Received on Wed Apr 09 2014 - 07:09:23 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 09 2014 - 12:00:05 MDT