Re: Squid and NTLM passthrough

Steffan Corley <scorley@xxxxxxx> · Wed, 17 Jan 2007 17:26:24 +0000

To answer my own question, I needed:

persistent_connection_after_error on

in squid.config.

A suggestion for the next version of squid would be to change the 
documentation for persistent_connection_after_error (in 
squid.config.default).  The current version says:

#  TAG: persistent_connection_after_error
#       With this directive the use of persistent connections after
#       HTTP errors can be disabled. Useful if you have clients
#       who fail to handle errors on persistent connections proper.

It would be clearer if it said "can be enabled".

Regards, and thanks once again for your help.

Steffan

Steffan Corley wrote:
Just for further information, we have tried adding the headers 
"Connection: keep-alive" and "Proxy-Connection: keep-alive" to the 
http request with exactly the same results (e.g. curl -H "Connection: 
keep-alive" ...).

Steffan

Steffan Corley wrote:
Hi Henrik,

Thanks once again for all your help so far.  Unfortunately, we can't 
get this working in Squid 2.6.STABLE7.  We have the following line in 
squid.conf:

cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS 
connection-auth=on
(I appreciate the connection-auth bit should be unnecessary, but we 
added it to remove one possible source of problems).

My squid.conf does not contain anything about persistent 
connections.  However, I note that Squid appends a "Proxy-Connection: 
close" to the NTLM challenge returned by the ISA server.  This seems 
to cause the user agent (curl, in our tests, but IE also doesn't 
work) to close the connection and then start the entire process again.

I've attached debugging output from curl for both a direct connection 
to the ISA server and a connection through Squid to the bottom of 
this message.  Packet sniffing shows that the communication between 
squid and the ISA server exactly mirrors the communication between 
the user agent and squid.

In general, our experience with Squid is that it tends to close the 
connection with the browser surprisingly frequently, particularly 
immediately after the very first request from any browser.

Any ideas?

Thanks a lot for any (further) help.

Steffan

Henrik Nordstrom wrote:
tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:

I've had a look at the cache_peer directive in the Squid 3.0 manual 
(not at work, so can't try it).  It looks to me like we would 
probably need "login=PASS" - except that the 3.0 manual 
specifically says that this only works with basic authentication.

Well.. 2.6 is not 3.0 and some things differ.

3.0.PRE3 (what the Visolve "3.0" manual documents) does not have 
support
for NTLM passthrough. 2.6 does.

Regards
Henrik

-------------------------------------------------------------------------------------------------------------------------------- 

Direct connection to our test ISA server:

curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy 
192.168.4.166:8080 http://iflsupdc01/test.htm

* About to connect() to 192.168.4.166 port 8080
*   Trying 192.168.4.166... * connected
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
< Via: 1.1 IFLISA2
< Proxy-Authenticate: NTLM 
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8= 

< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0     % Total    % Received % Xferd  Average 
Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    
Left  Speed

 0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
* Connection #0 to host 192.168.4.166 left intact
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* Re-using existing connection! (#0) with host 192.168.4.166
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo= 

User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.1 200 OK
< Via: 1.1 IFLISA2
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Content-Length: 1502
< Date: Wed, 17 Jan 2007 23:01:33 GMT
< Content-Type: text/html
< ETag: "d0f625b16d3ac71:1bb"
< Server: Microsoft-IIS/6.0
< Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
< Accept-Ranges: bytes

100  1502  100  1502    0     0  96940      0 --:--:-- --:--:-- 
--:--:--   97k
* Connection #0 to host 192.168.4.166 left intact
* Closing connection #0

-------------------------------------------------------------------------------------------------------------------------------- 

Connection through Squid to our test ISA server:

curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy 
127.0.0.1:8080 http://iflsupdc01/test.htm

* About to connect() to localhost port 8080
*   Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM 
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8= 

< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
 % Total    % Received % Xferd  Average Speed   Time    Time     
Time  Current
                                Dload  Upload   Total   Spent    
Left  Speed

 0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
* Closing connection #0
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* About to connect() to localhost port 8080
*   Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*

< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM 
TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8= 

< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close

 0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
* Closing connection #0
[...repeated many times...]
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed