Thank you very much for your "patch" James, I can, at last, use my squid in front of my exchange to forward all stuff to IIS rpc proxy in ntlm ! On XP and W7 clients -----Message d'origine----- De : Clem [mailto:clemfree@xxxxxxx] Envoyé : mardi 12 juin 2012 10:40 À : 'James Harper'; squid-users@xxxxxxxxxxxxxxx Objet : RE: RE: NTLM and persistent connections reverse proxy 3.1.20 - SOLVED + PATCH Ok great, thanks ! -----Message d'origine----- De : James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx] Envoyé : mardi 12 juin 2012 10:34 À : Clem; squid-users@xxxxxxxxxxxxxxx Objet : RE: RE: NTLM and persistent connections reverse proxy 3.1.20 - SOLVED + PATCH > > Hi James, > > Your patch can interests me, but I'm a little bit confused on how > apply it ? > I've edited the client_side_reply.cc of the src before compile squid, > and I don't actually understand what to modify. > Comment out or delete the whole "if (reply->..." statement James > ---------------------------- > void > clientReplyContext::cloneReply() > { > assert(reply == NULL); > > HttpReply *rep = http->storeEntry()->getReply()->clone(); > > reply = HTTPMSGLOCK(rep); > > if (reply->sline.protocol == PROTO_HTTP) { > /* enforce 1.0 reply version (but only on real HTTP traffic) */ > } > > /* do header conversions */ > buildReplyHeader(); > } > ------------------------------- > > Sorry for my newbyness ;) ! > Have a good day, regards, > > Clem > > -----Message d'origine----- > De : James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx] > Envoyé : mardi 12 juin 2012 08:08 > À : James Harper; squid-users@xxxxxxxxxxxxxxx Objet : RE: > NTLM and persistent connections reverse proxy > 3.1.20 - SOLVED + PATCH > > > > > > > I'm having some problems with reverse proxy and NTLM authentication. > > > Specifically, the connection to the client is not persisted which > > > I believe invalidates the NTLM authentication protocol. I've added > > > a source port number to the logs which shows that it is indeed > > > creating a new connection for each request. There seems to have > > > been a bit of mailing list activity about similar problems but > > > nothing exactly the same and none of the suggested solutions work. > > > > I've done a bit more testing on this, and it seems that the server > > returns > > "HTTP/1.1 401 Unauthorized" but squid turns this into "HTTP/1.0 401 > > Unauthorized" before passing it onto the client. Does that help? > > > > It seems that this is the cause of the problem... The patch following > this email fixes it... is there any reason why the version should be > forced to 1.0?? Is it to work around some other bug? > > James > > --- squid3-3.1.20.orig/src/client_side_reply.cc > +++ squid3-3.1.20/src/client_side_reply.cc > @@ -1469,10 +1469,12 @@ clientReplyContext::cloneReply() > > reply = HTTPMSGLOCK(rep); > > +#if 0 > if (reply->sline.protocol == PROTO_HTTP) { > /* enforce 1.0 reply version (but only on real HTTP traffic) */ > reply->sline.version = HttpVersion(1,0); > } > +#endif > > /* do header conversions */ > buildReplyHeader();
