Re: Squid sends TCP_DENIED/407 even on already authenticated users

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Julio Cesar Gazquez wrote:
> Hi.
>
> We are starting to deploy digest based authentication on a large network, and 
> we found a weird problem: Sometimes authenticated requests are answered by 
> TCP_DENIED/407 responses.
>
> Below is a sample from the access log:
>
> 1209559977.471    252 192.168.2.223 TCP_MISS/200 801 GET 
> http://www.deautos.com/img/top02.gif lboullo0 FIRST_UP_PARENT/localhost 
> image/gif
> 1209559977.640     67 192.168.2.223 TCP_MISS/200 9208 GET 
> http://www.deautos.com/img/tmp/img_comprar.jpg lboullo0 
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.647     50 192.168.2.223 TCP_MISS/200 9565 GET 
> http://www.deautos.com/img/tmp/img_vender.jpg lboullo0 
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.656     77 192.168.2.223 TCP_MISS/200 5629 GET 
> http://www.deautos.com/img/tmp/txt_comprar.jpg lboullo0 
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.657     63 192.168.2.223 TCP_MISS/200 655 GET 
> http://www.deautos.com/img/img_flechita.gif lboullo0
> FIRST_UP_PARENT/localhost image/gif
> 1209559978.080      2 192.168.2.223 TCP_DENIED/407 2765 GET 
> http://www.deautos.com/img/img_flechita_blink.gif
> lboullo0 NONE/- text/html
> 1209559978.163     87 192.168.2.223 TCP_MISS/200 2772 GET 
> http://www.deautos.com/img/img_vender02.gif lboullo0
>  FIRST_UP_PARENT/localhost image/gif
> 1209559978.219     97 192.168.2.223 TCP_MISS/200 707 GET 
> http://www.deautos.com/img/img_flechita_blink.gif lboullo0 
> FIRST_UP_PARENT/localhost image/gif
>
> As you can see, the user is happily sending authenticated requests, yet at one 
> point it receives a 407 response. 
>
> We are not really sure, but this doesn't seem ok. Worst of all, in certain 
> cases seems to be the cause of IE7 asking authentication again.

Asking the user for authentication would be a natural side-effect of not 
having it and being asked to provide it.

> We tried everything we were able of: Raising the auth children limit, 
> disabling Dansguardian, and googled around with no luck. Below is the auth 
> configuration. 

1) Have you tried the auth TTL settings.

2) are you certain that this is not simply a case of long-ago provided 
credentials timing out in IE?

> =====snip====
> auth_param digest program /usr/lib/squid/digest_ldap_auth 
>   -b ou=People,ou=proxy,ou=Servers,o=MCR -u uid 
>   -A l -D cn=nss,o=MCR -w xxxxxxxxx -e -v 3 -h ldap.pm.rosario.gov.ar
>
> auth_param digest realm Clave Navegacion Internet
> auth_param digest children 10
> =====snip====


--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4