On 01/02/2011, at 8:39 AM, Amos Jeffries wrote: > On Mon, 31 Jan 2011 16:20:45 +1030, Michael Hendrie > <michael@xxxxxxxxxxxxx> > wrote: >> Hello List, >> >> I need to use a version with connection pinning and was hoping to use >> 3.1.10 but I've run into a problem using a cache_peer that requires NTLM >> authentication. In my tests I'm able to get 3 authenticated requests >> through the parent (access.log on parent shows they have been >> authenticated) before the client starts to receive a pop-up to enter >> credentials. In the test, child and parent are on the same LAN segment > so >> there is nothing in between doing any port translations, etc. >> >> The relevant parts of my config: >> >> cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default >> login=PASS >> never_direct allow all >> persistent_connection_after_error on >> >> I have also tried adding "connection-auth=on" to both the cache_peer and >> http_port directives but this hasn't helped the situation. >> >> Testing with squid-2.7STABLE9 doesn't show the above issue, connection >> pinning seems to work perfectly to the parent proxy. I have also tried >> 3.1.9 and 3.1.8 in case it was something that was unexpectedly > introduced >> in the latest version but they fail also. >> >> I should point out that in my tests using 3.1.x talking to an origin >> server requiring NTLM works perfectly, only to a cache_peer fails. >> >> Does anyone have any ideas as to why this is failing, or a 3.1.x talking >> to an NTLM parent and if so could you please share your exact 3.1.x > version >> and relevant config. >> >> Thanks >> Mick > > 3.1.10 has one known situation. When the server replies with > unknown-length or chunked replies squid has no choice but to close the TCP > link at the end of the object transfer. Breaking NTLM pinning. This is very > common with dynamic content websites. > > Other than that situation it should be working. > > You can get a debug trace of the keep-alive actions with "debug_options > 33,2 88,5" search for "clientReplyStatus:" and "clientBuildReplyHeader:" > So I tested with these debug options and while there was a lot of data, nothing seemed to jump out the log at me so Wireshark time and what I see is for the failed requests, it seems 3.1.x is not correctly setting the "Connection" or "Proxy Connection" header on the request carrying the type 1 message (NTLMSSP_NEGOTIATE) which is needed for NTLM connection pin to function, examples are as follows: Client Request -> Child (squid-3.1.10) GET http://www.google.com.au/images/cb_r.gif HTTP/1.1 Host: www.google.com.au User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.google.com.au/ Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= Child Request (squid-3.1.10) -> Parent (squid-3.0.STABLE19) GET http://www.google.com.au/images/cb_r.gif HTTP/1.1 Host: www.google.com.au User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Referer: http://www.google.com.au/ Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= Via: 1.1 3110-child (squid/3.1.10) X-Forwarded-For: unknown Cache-Control: max-age=259200 On the return, 3.1.10 is also not setting Connection/Proxy-Connection: close as it should: Parent Response (squid-3.0.STABLE19) -> Child (squid-3.1.10) (I believe this 407 contain only BASIC offering now because the request didn't have a keep alive set, the first time the request got 407'd it contained both NTLM and BASIC hence the client tried with NTLM) HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE19 Mime-Version: 1.0 Date: Tue, 01 Feb 2011 13:36:30 GMT Content-Type: text/html Content-Length: 2517 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Basic realm="BASIC" X-Cache: MISS from parent Via: 1.0 parent (squid/3.0.STABLE19) Proxy-Connection: close Child (squid-3.1.10) Response -> Client HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE19 Mime-Version: 1.0 Date: Tue, 01 Feb 2011 13:36:30 GMT Content-Type: text/html Content-Length: 2517 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Basic realm="BASIC" X-Cache: MISS from parent X-Cache: MISS from 3110-child Via: 1.0 parent (squid/3.0.STABLE19), 1.0 3110-child (squid/3.1.10) Connection: keep-alive Any idea why this would be occurring? > Amos >