RE: RE: NTLM and persistent connections reverse proxy 3.1.20 - SOLVED + PATCH

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Be wary of HTTP/1.1 features using 1xx status codes which start 
appearing when HTTP/1.1 is sent to clients. 1xx control messages are a 
mandatory feature of HTTP/1.1 which Squid-3.1 does not support. Thus the 
forced HTTP/1.0 sent by official packages.

Amos


On 13.06.2012 01:34, Clem wrote:
> Thank you very much for your "patch" James, I can, at last, use my 
> squid in
> front of my exchange to forward all stuff to IIS rpc proxy in ntlm ! 
> On XP
> and W7 clients
>
> -----Message d'origine-----
> De : Clem
>
> Ok great, thanks !
>
> -----Message d'origine-----
> De : James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx]
> Envoyé : mardi 12 juin 2012 10:34
> À : Clem; squid-users@xxxxxxxxxxxxxxx
> Objet : RE:  RE: NTLM and persistent connections reverse 
> proxy
> 3.1.20 - SOLVED + PATCH
>
> > Hi James,
> >
> > Your patch can interests me, but I'm a little bit confused on how
> > apply it
> ?
> > I've edited the client_side_reply.cc of the src before compile 
> > squid,
> > and I don't actually understand what to modify.
>
> Comment out or delete the whole "if (reply->..." statement
>
> James
>
> > ----------------------------
> > void
> > clientReplyContext::cloneReply()
> > {
> >     assert(reply == NULL);
> >
> >     HttpReply *rep = http->storeEntry()->getReply()->clone();
> >
> >     reply = HTTPMSGLOCK(rep);
> >
> >     if (reply->sline.protocol == PROTO_HTTP) {
> >         /* enforce 1.0 reply version (but only on real HTTP traffic) 
> > */
> >     }
> >
> >     /* do header conversions */
> >     buildReplyHeader();
> > }
> > -------------------------------
> >
> > Sorry for my newbyness ;) !
> > Have a good day, regards,
> >
> > Clem
> >
> > -----Message d'origine-----
> > De : James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx]
> > Envoyé : mardi 12 juin 2012 08:08
> > À : James Harper; squid-users@xxxxxxxxxxxxxxx Objet :  
> > RE:
> > NTLM and persistent connections reverse proxy
> > 3.1.20 - SOLVED + PATCH
> >
> > > >
> > > > I'm having some problems with reverse proxy and NTLM 
> > authentication.
> > > > Specifically, the connection to the client is not persisted 
> > which
> > > > I believe invalidates the NTLM authentication protocol. I've 
> > added
> > > > a source port number to the logs which shows that it is indeed
> > > > creating a new connection for each request. There seems to have
> > > > been a bit of mailing list activity about similar problems but
> > > > nothing exactly the same and none of the suggested solutions 
> > work.
> > >
> > > I've done a bit more testing on this, and it seems that the server
> > > returns
> > > "HTTP/1.1 401 Unauthorized" but squid turns this into "HTTP/1.0 
> > 401
> > > Unauthorized" before passing it onto the client. Does that help?
> > >
> >
> > It seems that this is the cause of the problem... The patch 
> > following
> > this email fixes it... is there any reason why the version should be
> > forced to 1.0?? Is it to work around some other bug?
> >
> > James
> >
> > --- squid3-3.1.20.orig/src/client_side_reply.cc
> > +++ squid3-3.1.20/src/client_side_reply.cc
> > @@ -1469,10 +1469,12 @@ clientReplyContext::cloneReply()
> >
> >      reply = HTTPMSGLOCK(rep);
> >
> > +#if 0
> >      if (reply->sline.protocol == PROTO_HTTP) {
> >          /* enforce 1.0 reply version (but only on real HTTP 
> > traffic) */
> >          reply->sline.version = HttpVersion(1,0);
> >      }
> > +#endif
> >
> >      /* do header conversions */
> >      buildReplyHeader();