Hi Henrik,
Thanks once again for all your help so far. Unfortunately, we can't
get this working in Squid 2.6.STABLE7. We have the following line in
squid.conf:
cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS
connection-auth=on
(I appreciate the connection-auth bit should be unnecessary, but we
added it to remove one possible source of problems).
My squid.conf does not contain anything about persistent
connections. However, I note that Squid appends a "Proxy-Connection:
close" to the NTLM challenge returned by the ISA server. This seems
to cause the user agent (curl, in our tests, but IE also doesn't
work) to close the connection and then start the entire process again.
I've attached debugging output from curl for both a direct connection
to the ISA server and a connection through Squid to the bottom of
this message. Packet sniffing shows that the communication between
squid and the ISA server exactly mirrors the communication between
the user agent and squid.
In general, our experience with Squid is that it tends to close the
connection with the browser surprisingly frequently, particularly
immediately after the very first request from any browser.
Any ideas?
Thanks a lot for any (further) help.
Steffan
Henrik Nordstrom wrote:
tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:
I've had a look at the cache_peer directive in the Squid 3.0 manual
(not at work, so can't try it). It looks to me like we would
probably need "login=PASS" - except that the 3.0 manual
specifically says that this only works with basic authentication.
Well.. 2.6 is not 3.0 and some things differ.
3.0.PRE3 (what the Visolve "3.0" manual documents) does not have
support
for NTLM passthrough. 2.6 does.
Regards
Henrik
--------------------------------------------------------------------------------------------------------------------------------
Direct connection to our test ISA server:
curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
192.168.4.166:8080 http://iflsupdc01/test.htm
* About to connect() to 192.168.4.166 port 8080
* Trying 192.168.4.166... * connected
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
< Via: 1.1 IFLISA2
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0 % Total % Received % Xferd Average
Speed Time Time Time Current
Dload Upload Total Spent
Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Connection #0 to host 192.168.4.166 left intact
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* Re-using existing connection! (#0) with host 192.168.4.166
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.1 200 OK
< Via: 1.1 IFLISA2
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Content-Length: 1502
< Date: Wed, 17 Jan 2007 23:01:33 GMT
< Content-Type: text/html
< ETag: "d0f625b16d3ac71:1bb"
< Server: Microsoft-IIS/6.0
< Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
< Accept-Ranges: bytes
100 1502 100 1502 0 0 96940 0 --:--:-- --:--:--
--:--:-- 97k
* Connection #0 to host 192.168.4.166 left intact
* Closing connection #0
--------------------------------------------------------------------------------------------------------------------------------
Connection through Squid to our test ISA server:
curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
127.0.0.1:8080 http://iflsupdc01/test.htm
* About to connect() to localhost port 8080
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Closing connection #0
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* About to connect() to localhost port 8080
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Closing connection #0
[...repeated many times...]
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed