On 13/12/2013 8:50 p.m., Juergen Obermeyer wrote: > Hi Amos! > > Thanks for your answer: > >>> After the first (successful) authentication, some milliseconds >>> later the failure (same user!). Apparently, no authentication data >>> is provided. >> >> Yes. Consider this: * two packets leave your gateway router. Which >> comes from client_1 and which comes from some attacker spoofing >> client_1 IP ? > > Ok, I see the problem. But: > >> Check whether you have client persistent connections enabled. When >> that is working the client traffic will all be sent over connections >> it already knows need authentication, so you should see far less 407 >> from the proxy. > > I found this in the Squid documentation: > > "By default, Squid uses persistent connections (when allowed) with its > clients and servers. You can use these options to disable persistent > connections with clients and/or servers." > > (http://www.squid-cache.org/Versions/v2/2.7/cfgman/client_persistent_connections.html) > 2.7? I've seen a fair few config with persistence disabled for various reasons. Was not sure if you were in that group or not. > Nevertheless, I added the line > > client_persistent_connections on > > to my squid.conf and reloaded Squid. Unfortunately, the number of 407 > messages in the log file didn't decrease ... > > But can you please tell me the meaning of "when allowed"? Is there > anything to do at client side to allow persistent connections? Or elsewhere? The client themselves can request Connection:close, or when communicating unknown-length objects with HTTP/1.0 message syntax on either end of the connection can require closing TCP. If you do have a Squid older than 3.2 it is worth upgrading to avoid that HTTP/1.0 problem. Amos
