On 12/06/2012 6:08 p.m., James Harper wrote:
I'm having some problems with reverse proxy and NTLM authentication.
Specifically, the connection to the client is not persisted which I
believe invalidates the NTLM authentication protocol. I've added a
source port number to the logs which shows that it is indeed creating
a new connection for each request. There seems to have been a bit of
mailing list activity about similar problems but nothing exactly the
same and none of the suggested solutions work.
I've done a bit more testing on this, and it seems that the server returns
"HTTP/1.1 401 Unauthorized" but squid turns this into "HTTP/1.0 401
Unauthorized" before passing it onto the client. Does that help?
It seems that this is the cause of the problem... The patch following this email fixes it... is there any reason why the version should be forced to 1.0?? Is it to work around some other bug?
Because Squid 3.1 is not HTTP/1.1 compliant on the client-facing
channels. Offering it will trick the clients into believeing they can
use features which will break their connectivity.
The problem is somewhere in the code which determines
"Connection:keep-alive" and "Connection:close". Squid should be adding
"Connection:keep-alive" unless something causes "Connection:close" to be
necessary.
James
--- squid3-3.1.20.orig/src/client_side_reply.cc
+++ squid3-3.1.20/src/client_side_reply.cc
@@ -1469,10 +1469,12 @@ clientReplyContext::cloneReply()
reply = HTTPMSGLOCK(rep);
+#if 0
if (reply->sline.protocol == PROTO_HTTP) {
/* enforce 1.0 reply version (but only on real HTTP traffic) */
reply->sline.version = HttpVersion(1,0);
}
+#endif
/* do header conversions */
buildReplyHeader();
