On tis, 2008-07-01 at 20:25 -0500, Luis Daniel Lucio Quiroz wrote: > 1214974554.906 0 99.90.40.253 TCP_DENIED/407 3249 GET > http://www.presidencia.gob.mx/imgs/edomayor_over.gif a2 NONE/- text/html > > if we use percistance, it works, but we can stop using of sharing usernames. > Balancig schema is like this: > > user -> balancer f5 -> squid1 > \->squid2 > > Squid is configured with LDAP-digest auth. digest auth needs persistent sessions to work best. Without session it will perform quite badly with many repeated 407 exchanges. The reason to this is that digest authentication is stateful, with the server verifying that the client responds to a challenge sent by that server. This is part of the replay protection agains authenticated session theft and by design in the digest authentication scheme. Each time the client gets connected to a new proxy server the server issued challenge needs to be renewed. basic authentication works well with "dumb" TCP load balancing, as it's completely stateless. NTLM/Negotiate also works with "dumb" TCP load balancing, as it's very stateful but at the TCP connection level, not at the HTTP message level.. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
