On 25/05/2012 7:50 a.m., Ruiyuan Jiang wrote:
Hi, Clem I am reading your post http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html In the post, someone stated that NTLM auth does not support: It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client -> squid (hop1) IIS6 rpx proxy (hop2) -> exchange 2007 That is not true. Here we have the setup: Client -> Apache (hop1) -> IIS 7 -> exchange 2007 It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet. https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 I am not sure why squid does not support NTLM auth to the backend exchange server.
Squid does supports relaying any type of www-auth headers to the backend over multiple hops. What Squid does not support is logging *itself* into a peer proxy with NTLM (using proxy-auth headers).
There are also various minor but annoying bugs in NTLM pinning support and persistent connections handling in some Squid releases, with those basically the newer the Squid release the better but its still not 100% clean.
I am noting a LOT of complaints in the areas of Squid->IIS and sharepoint, and a few other MS products this year. But nobody has yet been able to supply a patch for anything (I dont have MS products or time to work on this stuff myself). There is a hint that it is related to Squid-3.1 persistent connection keep-alive to the server, if that helps anyone.
Amos