Hi With squid 3.2.7, I have the following curiosity: SCENARIO 1 <<squid.conf>> acl AUTHENTICATED proxy_auth REQUIRED external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=20 children-startup=5 children-idle=1 negative_ttl=7200 %LOGIN /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "XXX" acl INTERNET_ACCESS external SQUID_KERB_LDAP ... ... http_access deny !INTERNET_ACCESS http_access deny !AUTHENTICATED http_access allow INTERNET_ACCESS AUTHENTICATED http_access deny all With the config above, I have the following lines in the access.log: [Thu Feb 21 06:56:45 2013].167 38 XXX TCP_REFRESH_UNMODIFIED/304 332 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER FIRSTUP_PARENT/XXX image/gif [Thu Feb 21 06:57:04 2013].621 38 XXX TCP_REFRESH_UNMODIFIED/304 261 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER FIRSTUP_PARENT/XXX image/gif ---------------------------------------------------- SCENARIO 2 <<squid.conf (without proxy_auth REQUIRED)>> external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=20 children-startup=5 children-idle=1 negative_ttl=7200 %LOGIN /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "XXX" acl INTERNET_ACCESS external SQUID_KERB_LDAP ... ... http_access deny !INTERNET_ACCESS http_access allow INTERNET_ACCESS http_access deny all Now, the same request looks like this: [Thu Feb 21 06:55:59 2013].086 0 XXX TCP_DENIED/407 4153 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif - HIER_NONE/- text/html [Thu Feb 21 06:55:59 2013].135 44 XXX TCP_REFRESH_UNMODIFIED/304 332 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER FIRSTUP_PARENT/XXX image/gif A tcpdump shows, that the "authorization"-header is not sent in the first request. In scenario 2, the authorization-header is sent after the TCP_DENIED/407 response from squid (normal behavior). In scenario 1, squid response directly with 304. What is the influence of "AUTHENTICATED" in the first example, not to re-authenticate the request? Why does squid needs to re-authenticate (TCP_DENIED/407) without the "AUTHENTICATED" tag in the "http_access" line (Scenario 2)? Is it possible, that with the "AUTHENTICATED" tag squid uses the authentication-cache? And without the "AUTHENTICATED" tag, squid will not use the authentication-cache or flushes the cache-entry for every request? I have other squids running (3.1.20), which are configured like scenario 2, but behaves like scenario 1. Why does squid 3.1.20 act different as 3.2.7? With "debug_options 29,9" (see below) in squid 3.2.7, I see that in the "wrong case" (without the AUTHENTICATED tag on the http_access line), squid is "freeing request 0x1646830". When I request the same file again, then squid response first with a "TCP_DENIED/407". Does the "freeing" means, that squid "flushes" his authentication-cache and therefore need to re-authenticate this request everytime? 2013/02/21 08:43:58.583 kid1| UserRequest.cc(506) addReplyAuthHeader: headertype:76 authuser:0x1646830*3 2013/02/21 08:43:58.583 kid1| UserRequest.cc(126) releaseAuthServer: No Negotiate auth server to release. 2013/02/21 08:43:58.583 kid1| UserRequest.cc(125) ~UserRequest: freeing request 0x1646830 I can also see, that in the wrong case (re-authenticate), squid flushes his cache and make for the same request a new entry with a new TTL: $ squidclient mgr:username_cache HTTP/1.1 200 OK Server: squid Mime-Version: 1.0 Date: Thu, 21 Feb 2013 08:36:14 GMT Content-Type: text/plain Expires: Thu, 21 Feb 2013 08:36:14 GMT Last-Modified: Thu, 21 Feb 2013 08:36:14 GMT X-Cache: MISS from XXX Via: 1.1 XXX (squid) Connection: close Cached Usernames: 1 of 7921 Next Garbage Collection in 35 seconds. Type State Check TTL Cache TTL Username --------------- --------- --------- --------- ------------------------------ AUTH_NEGOTIATE Ok -1 3600 USER In the "good case", squid does not throw away the cache-entry and the TTL is decrementing (even after I make new requests) -> expected behavior. So, why does squid flushes the authentication-cache for every request, when I use "http_access allow INTERNET_ACCESS" (without the tag AUTHENTICATED)? And why does squid 3.1.20 behaves different? Probably a bug? Any explanations/hints for this behavior? Many many thanks. Tom
