On Tue, 01 Dec 2009 12:12:52 +1300, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On Mon, 30 Nov 2009 13:38:17 +0100, <vincent.blondel@xxxxxx> wrote: >>> Hello, >>> >>> Can somebody say me if WWW-Authenticate header is really functional on >>> Squid 2.7.4 because I spent the whole day trying to help one business >>> user with his application and always receive 401 error code. > > Yes the WWW-Authenticate header is functional. Squid by default simply > passes it from the receiving connection to the sending connection without > change. > > The method of authentication using it may not be able to cope with > stateless HTTP behaviour. > >>> >>> my proxy should reach the origin IIS server directly next to the >>> always_direct/never_direct definitions and this is what I see in the >>> logs. this does not work so I also made a special cache_peer >> definition >>> and tried with or without connection-auth=on, connection-auth=off .. I >>> also tried with login=PASS but nothing works ... >>> >>> so my question is .. Is that a normal behaviour ? Do I do something >>> wrong ? Do I have to do something else ? > > Is the IIS server trying to do NTLM login across the web? This can be a > major headache. > > NTLM and NTLM-like authentication assume end-to-end stateful connectivity. > This works okay when only stateful NAT or a hacked-up proxy is being used. > But fails if even one hop across the network is stateless. > > For NTLM and Negotiate you need both cache_peer options > "connection-auth=on login=PASS" Nearly forgot: If regular proxy authentication is also being used the "originserver" setting cannot be used with NTLM cache_peer pass-thru. > > Along with: > client_persistent_connections on > server_persistent_connections on > > NP: if you added "no-connection-auth" to http_port it needs to be absent. > > You may also want to raise the connection timeout > "persistent_request_timeout" but do so carefully, since each pconn held in > a locked state by NTLM is N less client connections usable in parallel. > Amos
