On 5/12/2015 5:39 a.m., Fabio Bucci wrote: > Thanks Amos. > Actually my load balancing is configured to perform round robin balancing > between the two nodes. I added a session persistance by source ip in order > to avoid to login again with some sites. > > my squid.conf is very simple: > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 100 > auth_param ntlm keep_alive off > > acl auth proxy_auth REQUIRED > > http_access allow auth > Okay. That *should* work. With some NTLM-specific caveats. > forwarded_for on > follow_x_forwarded_for allow netscaler > If the LB is touching the traffic enough to add headers then it is a proxy. NTLM does not work at all well through proxies. NTLM as a whole is based on the assumption that there is one (and only one) TCP connection between it and the proxy - the credentials are tied to the TCP connection state. There is one VERY slim hack that lets NTLM pass straight through a frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP connections together. This is not just session persistence, but absolute prohibition on any other traffic (even from other connections by the same client) being sent to that outbound LB->proxy connection. Some LB can do it, some can't. I recommend advertising both/all proxy IPs to the clients and letting each select the one(s) it wants to contact. That way the client can perform NTLM directly to the Squid. On the other hand NTLM was deprecated back in 2006, you should try migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve and can be tricky working with older client software. But is *way* more efficient and friendlier to HTTP (but still not fully). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
