Hello,
I'm having an issue with squid_kerb_auth. It seems not all proxy
requests are getting serviced. When falling back on NTLM the requests
come though fine.
My guess is subsequent GET requests made over Proxy_KeepAlive sessions
are not getting serviced. I confirmed this on a trace using Wireshark
where the client requests a page but Squid doesn't come back with an
answer. Is this a known issue?
I'm currently running squid3-3.1.6 and have seen this behavior both
with the include squid_kerb_auth and a seperately compiled binary.
squid.conf follows:
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d -s
HTTP/dc32-wgw01.nix.DOM.LOCAL@xxxxxxxxxxxxxx
auth_param negotiate children 30
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
external_acl_type AD_US_TEMPS ttl=3600 negative_ttl=3600 %LOGIN
/usr/bin/squid_kerb_ldap -d -g temps@xxxxxxxxxxxx
external_acl_type AD_US_ITDEPT ttl=3600 negative_ttl=3600 %LOGIN
/usr/bin/squid_kerb_ldap -d -g ITDept@xxxxxxxxxxxx
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl firefox_browser browser Firefox
acl UnrestrictedUsers external AD_US_ITDEPT
acl TempUsers external AD_US_TEMPS
acl AuthorizedUsers proxy_auth REQUIRED
acl hq-dmz src 10.50.192.0/24
acl hq-servers src 10.50.64.0/23 10.50.4.0/24
acl hq-services src 10.50.8.0/24 10.50.2.0/24
acl hq-dev src 10.50.66.0/24
acl ie_urls dstdomain "/etc/squid/ie_urls.allow"
acl service_urls dstdomain "/etc/squid/service_urls.allow"
acl dev_urls dstdomain "/etc/squid/dev_urls.allow"
acl hq-servers_urls dstdomain "/etc/squid/servers_urls.allow"
acl temp_urls dstdomain "/etc/squid/temp_urls.allow"
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow hq-servers hq-servers_urls
http_access deny hq-servers
http_access allow hq-services service_urls
http_access deny hq-services
http_access allow hq-dev dev_urls
http_access deny hq-dev
http_access allow TempUsers temp_urls
http_access deny TempUsers all
http_access allow UnrestrictedUsers
http_access deny UnrestrictedUsers all
http_access deny !AuthorizedUsers
http_access allow all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr support@xxxxxxxxx
coredump_dir /var/spool/squid
Thanks,
M. de Jong
