Search squid archive

Re: Squid with NTLM auth behind netscaler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Amos.
So, what do you suggest? Implement kerberos authetication instead NTLM one?

I have to check if netscaler is able to perform that kind hack you wrote before.

Thanks again,
Fabio

2015-12-05 7:22 GMT+01:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> Thanks Amos.
> Actually my load balancing is configured to perform round robin balancing
> between the two nodes. I added a session persistance by source ip in order
> to avoid to login again with some sites.
>
> my squid.conf is very simple:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
>
> acl auth proxy_auth REQUIRED
>
> http_access allow auth
>

Okay. That *should* work. With some NTLM-specific caveats.


> forwarded_for on
> follow_x_forwarded_for allow netscaler
>

If the LB is touching the traffic enough to add headers then it is a
proxy. NTLM does not work at all well through proxies. NTLM as a whole
is based on the assumption that there is one (and only one) TCP
connection between it and the proxy - the credentials are tied to the
TCP connection state.

There is one VERY slim hack that lets NTLM pass straight through a
frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
connections together. This is not just session persistence, but absolute
prohibition on any other traffic (even from other connections by the
same client) being sent to that outbound LB->proxy connection. Some LB
can do it, some can't.


I recommend advertising both/all proxy IPs to the clients and letting
each select the one(s) it wants to contact. That way the client can
perform NTLM directly to the Squid.


On the other hand NTLM was deprecated back in 2006, you should try
migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
and can be tricky working with older client software. But is *way* more
efficient and friendlier to HTTP (but still not fully).


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux