Search squid archive

Re: Kerberos / Authentication / squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You may need to increase the following:

src/auth/UserRequest.h:#define MAX_AUTHTOKEN_LEN   32768

Regards
Markus

"Amos Jeffries"  wrote in message news:52971E79.9030002@xxxxxxxxxxxxx...

On 28/11/2013 10:42 p.m., Berthold Zettler wrote:
Hi Madhav,



all relevant a systems (AD-Controllers and the clients (Windows 7)) have a value for "MaxTokenSize" of 65535.

Therefore i don't think, that this failure was caused by AD- or client settings.

The tokensize (27332) reported by the MS tokensz.exe tool is far below this value. Our other kerberized systems (Apaches) are working fine with this large tokensize.

So i think it's a squid / buffer or kerberos-helper related issue


That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the
Squid buffer and helper buffer and the base-64 encoded version of the
token needs to fit inside it along with the 3-5 helper protocol bytes.

A bigger problem is the Squid network I/O parsing. The buffer holding
HTTP headers also has a default maximum length of 64KB ... for the
entire HTTP header block.
 http://www.squid-cache.org/Doc/config/request_header_max_size/
 http://www.squid-cache.org/Doc/config/reply_header_max_size/

If you need to you can bump those up to around 256KB before you start to
hit other limits in the primary I/O buffer itself.


PS. you should also look to the library Squid is using. It may have
limits or problems of its own separate from the Apache systems library.

PPS. The IETF HTTPbis WG did an analysis of many software a while back
and concluded that the maximum generlly acceptible HTTP header length
was 4KB. Squid with its 64KB limit is one of the more accepting out
there. So be careful of *any* other software involved with that traffic.

Amos






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux