NTLM auth issue due to patch introduced in squid-3.1.7

Hi all,
I've reproduced an issue that is caused due to following squid-3.1.7
patch

http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10067.patch

The reproducer contains a web site in IIS 7.5 that requires NTLM
authentication. IE8 on Windows isn't able to authenticate when the
traffic is handled by squid-3.1.7+. I have an info the issue depends on
the Windows system (win7 is problematic but winXP works fine, i've used
winServer).

Reverting 'Connection' header back to 'Proxy-Connection' header fixes
the issue (see patch below). I see the 'Connection' header is RFC
compliant unfortunately no every software manufacturer is aware of
necessity to be RFC compliant.

I see the first element of the patch as the most controversial. What do
you think about the patch bellow? Any other tips, comments?

Thank you for your answer in advance.

Best regards

Jiri

=====================================================
diff -up squid-3.1.10/src/client_side_reply.cc.http10
squid-3.1.10/src/client_side_reply.cc
--- squid-3.1.10/src/client_side_reply.cc.http10 2010-12-22
06:46:56.000000000 +0100
+++ squid-3.1.10/src/client_side_reply.cc 2012-06-29
13:05:50.535114802 +0200
@@ -1447,7 +1447,10 @@ clientReplyContext::buildReplyHeader()
         hdr->delById(HDR_VIA);
         hdr->putStr(HDR_VIA, strVia.termedBuf());
     }
- /* Signal keep-alive or close explicitly */
+ /* Signal keep-alive if needed */
+ if (!http->flags.accel && !http->flags.intercepted)
+ hdr->putStr(HDR_PROXY_CONNECTION,
request->flags.proxy_keepalive ? "keep-alive" : "close");
+
     hdr->putStr(HDR_CONNECTION, request->flags.proxy_keepalive ?
"keep-alive" : "close");

 #if ADD_X_REQUEST_URI
diff -up squid-3.1.10/src/http.cc.http10 squid-3.1.10/src/http.cc
--- squid-3.1.10/src/http.cc.http10 2010-12-22 06:46:56.000000000
+0100
+++ squid-3.1.10/src/http.cc 2012-06-29 10:09:41.856239753 +0200
@@ -1729,7 +1729,11 @@ HttpStateData::httpBuildRequestHeader(Ht

     /* maybe append Connection: keep-alive */
     if (flags.keepalive) {
- hdr_out->putStr(HDR_CONNECTION, "keep-alive");
+ if (hdr_in->has(HDR_PROXY_CONNECTION)) {
+ hdr_out->putStr(HDR_PROXY_CONNECTION, "keep-alive");
+ } else {
+ hdr_out->putStr(HDR_CONNECTION, "keep-alive");
+ }
     }

     /* append Front-End-Https */
diff -up squid-3.1.10/src/HttpHeaderTools.cc.http10
squid-3.1.10/src/HttpHeaderTools.cc
--- squid-3.1.10/src/HttpHeaderTools.cc.http10 2010-12-22
06:46:56.000000000 +0100
+++ squid-3.1.10/src/HttpHeaderTools.cc 2012-06-29 10:09:41.857250002
+0200
@@ -148,15 +148,12 @@ httpHeaderHasConnDir(const HttpHeader *
     int res;
     /* what type of header do we have? */

-#if HTTP_VIOLATIONS
     if (hdr->has(HDR_PROXY_CONNECTION))
         list = hdr->getList(HDR_PROXY_CONNECTION);
+ else if (hdr->has(HDR_CONNECTION))
+ list = hdr->getList(HDR_CONNECTION);
     else
-#endif
- if (hdr->has(HDR_CONNECTION))
- list = hdr->getList(HDR_CONNECTION);
- else
- return 0;
+ return 0;

     res = strListIsMember(&list, directive, ',');
Received on Fri Jun 29 2012 - 23:03:52 MDT