Search squid archive

Re: Squid and NTLM passthrough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



To answer my own question, I needed:

persistent_connection_after_error on

in squid.config.

A suggestion for the next version of squid would be to change the documentation for persistent_connection_after_error (in squid.config.default). The current version says:

#  TAG: persistent_connection_after_error
#       With this directive the use of persistent connections after
#       HTTP errors can be disabled. Useful if you have clients
#       who fail to handle errors on persistent connections proper.

It would be clearer if it said "can be enabled".

Regards, and thanks once again for your help.

Steffan

Steffan Corley wrote:
Just for further information, we have tried adding the headers "Connection: keep-alive" and "Proxy-Connection: keep-alive" to the http request with exactly the same results (e.g. curl -H "Connection: keep-alive" ...).

Steffan

Steffan Corley wrote:
Hi Henrik,

Thanks once again for all your help so far. Unfortunately, we can't get this working in Squid 2.6.STABLE7. We have the following line in squid.conf:

cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS connection-auth=on (I appreciate the connection-auth bit should be unnecessary, but we added it to remove one possible source of problems).

My squid.conf does not contain anything about persistent connections. However, I note that Squid appends a "Proxy-Connection: close" to the NTLM challenge returned by the ISA server. This seems to cause the user agent (curl, in our tests, but IE also doesn't work) to close the connection and then start the entire process again.

I've attached debugging output from curl for both a direct connection to the ISA server and a connection through Squid to the bottom of this message. Packet sniffing shows that the communication between squid and the ISA server exactly mirrors the communication between the user agent and squid.

In general, our experience with Squid is that it tends to close the connection with the browser surprisingly frequently, particularly immediately after the very first request from any browser.

Any ideas?

Thanks a lot for any (further) help.

Steffan

Henrik Nordstrom wrote:
tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:

I've had a look at the cache_peer directive in the Squid 3.0 manual (not at work, so can't try it). It looks to me like we would probably need "login=PASS" - except that the 3.0 manual specifically says that this only works with basic authentication.

Well.. 2.6 is not 3.0 and some things differ.

3.0.PRE3 (what the Visolve "3.0" manual documents) does not have support
for NTLM passthrough. 2.6 does.

Regards
Henrik
--------------------------------------------------------------------------------------------------------------------------------

Direct connection to our test ISA server:

curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy 192.168.4.166:8080 http://iflsupdc01/test.htm

* About to connect() to 192.168.4.166 port 8080
*   Trying 192.168.4.166... * connected
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
< Via: 1.1 IFLISA2
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host 192.168.4.166 left intact
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* Re-using existing connection! (#0) with host 192.168.4.166
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo= User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.1 200 OK
< Via: 1.1 IFLISA2
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Content-Length: 1502
< Date: Wed, 17 Jan 2007 23:01:33 GMT
< Content-Type: text/html
< ETag: "d0f625b16d3ac71:1bb"
< Server: Microsoft-IIS/6.0
< Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
< Accept-Ranges: bytes

100 1502 100 1502 0 0 96940 0 --:--:-- --:--:-- --:--:-- 97k
* Connection #0 to host 192.168.4.166 left intact
* Closing connection #0

--------------------------------------------------------------------------------------------------------------------------------

Connection through Squid to our test ISA server:

curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy 127.0.0.1:8080 http://iflsupdc01/test.htm

* About to connect() to localhost port 8080
*   Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection #0
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* About to connect() to localhost port 8080
*   Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection #0
[...repeated many times...]
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux