Search squid archive

Squid sends TCP_DENIED/407 even on already authenticated users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.

We are starting to deploy digest based authentication on a large network, and 
we found a weird problem: Sometimes authenticated requests are answered by 
TCP_DENIED/407 responses.

Below is a sample from the access log:

1209559977.471    252 192.168.2.223 TCP_MISS/200 801 GET 
http://www.deautos.com/img/top02.gif lboullo0 FIRST_UP_PARENT/localhost 
image/gif
1209559977.640     67 192.168.2.223 TCP_MISS/200 9208 GET 
http://www.deautos.com/img/tmp/img_comprar.jpg lboullo0 
FIRST_UP_PARENT/localhost image/jpeg
1209559977.647     50 192.168.2.223 TCP_MISS/200 9565 GET 
http://www.deautos.com/img/tmp/img_vender.jpg lboullo0 
FIRST_UP_PARENT/localhost image/jpeg
1209559977.656     77 192.168.2.223 TCP_MISS/200 5629 GET 
http://www.deautos.com/img/tmp/txt_comprar.jpg lboullo0 
FIRST_UP_PARENT/localhost image/jpeg
1209559977.657     63 192.168.2.223 TCP_MISS/200 655 GET 
http://www.deautos.com/img/img_flechita.gif lboullo0
FIRST_UP_PARENT/localhost image/gif
1209559978.080      2 192.168.2.223 TCP_DENIED/407 2765 GET 
http://www.deautos.com/img/img_flechita_blink.gif
lboullo0 NONE/- text/html
1209559978.163     87 192.168.2.223 TCP_MISS/200 2772 GET 
http://www.deautos.com/img/img_vender02.gif lboullo0
 FIRST_UP_PARENT/localhost image/gif
1209559978.219     97 192.168.2.223 TCP_MISS/200 707 GET 
http://www.deautos.com/img/img_flechita_blink.gif lboullo0 
FIRST_UP_PARENT/localhost image/gif

As you can see, the user is happily sending authenticated requests, yet at one 
point it receives a 407 response. 

We are not really sure, but this doesn't seem ok. Worst of all, in certain 
cases seems to be the cause of IE7 asking authentication again.

We tried everything we were able of: Raising the auth children limit, 
disabling Dansguardian, and googled around with no luck. Below is the auth 
configuration. 

=====snip====
auth_param digest program /usr/lib/squid/digest_ldap_auth 
  -b ou=People,ou=proxy,ou=Servers,o=MCR -u uid 
  -A l -D cn=nss,o=MCR -w xxxxxxxxx -e -v 3 -h ldap.pm.rosario.gov.ar

auth_param digest realm Clave Navegacion Internet
auth_param digest children 10
=====snip====

-- 
Julio César Gázquez
Area Seguridad Informática -- Int. 736
Municipalidad de Rosario
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux