Hi,
I'm running Squid 2.6 STABLE12 as a reverse proxy.
I have digest authentication turned on:
auth_param digest program
/.../squid/helpers/digest_auth/password/digest_pw_auth /.../passwords
auth_param digest children 5
auth_param digest realm ...
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 12 hours
auth_param digest nonce_max_count 50
I turned nonce_max_duration way up to try to get around the following
problem (but it didn't work):
Users are complaining that they are challenged to re-enter their
credentials too frequently.
I figured nonce_max_duration would set the "max session time", but the
credentials challenges still seem to happen much more frequently.
Is the "max session time" predictable based on config parameters, or is
there some dependency on the vaguaries of garbage collection? I'm
confused about what impact nonce_garbage_interval might has on this.
Is it the case that browsers typically make users re-enter credentials
when "stale=false" appears in a 401/WWW-Authenticate response header?
I notice log entries like these that seem to be correlated with the
credentials challenges:
#1) authenticateValidateUser: Auth_user '0xb61430' is broken for it's
scheme.
#2) authenticateValidateUser: Validating Auth_user request '(nil)'.
Are these normal sorts of log messages? What does AUTH_BROKEN mean (from
the source generating example #1)?
Does "Validating Auth_user request '(nil)'" mean that no "Authorization"
header was included in the request?
In what may or may not be a related matter, the browser credentials
dialog box is sometimes presented three or four times in a row. I think
this might just have to do with parallel requests from the browser all
failing with 401s at the same time. I think this happens with a variety
of browsers - sorry no more details are available.
Thanks,
Ben
