Re: NTLM auth issue due to patch introduced in squid-3.1.7

On 06/29/2012 08:15 AM, Jiri Skala wrote:

> I've reproduced an issue that is caused due to following squid-3.1.7
> patch
> http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10067.patch
>
> The reproducer contains a web site in IIS 7.5 that requires NTLM
> authentication. IE8 on Windows isn't able to authenticate when the
> traffic is handled by squid-3.1.7+. I have an info the issue depends on
> the Windows system (win7 is problematic but winXP works fine, i've used
> winServer).
>
> Reverting 'Connection' header back to 'Proxy-Connection' header fixes
> the issue (see patch below). I see the 'Connection' header is RFC
> compliant unfortunately no every software manufacturer is aware of
> necessity to be RFC compliant.
>
> I see the first element of the patch as the most controversial. What do
> you think about the patch bellow? Any other tips, comments?

Hi Jiri,

    If you could configure Squid to add a Proxy-Connection header that
matches the outgoing Connection header sent by Squid, would that be
sufficient to solve your problem with the broken site? The header
mangling patch (being discussed on squid-dev right now) may allow you to
do that (if the mangling code is applied post-cache for both REQMOD and
RESPMOD)...

If the above does not work and the patch is required, I am surprised
your patch changes do not closely mimic existing Connection code. Why
change comments, remove #ifdefs, and add new if-statements? Would it be
sufficient to duplicate the existing HDR_CONNECTION code and then change
the copied code to use HDR_PROXY_CONNECTION?

Do you need to change both client-Squid and Squid-server sides or just
one of them? It may help if you open a bug report and post specific
minimal HTTP exchanges (just headers) that work and that do not so that
it becomes more clear what we have to change.

For example, if the problem is on the client-Squid side, perhaps Squid
can reply with whatever header the client is using? If client is using
Proxy-Connection, Squid will use Proxy-Connection with that client too
(there is a question of default when client is not sending any
*Connection header, but perhaps it is not relevant to _your_ use case).

Thank you,

Alex.

>
> =====================================================
> diff -up squid-3.1.10/src/client_side_reply.cc.http10
> squid-3.1.10/src/client_side_reply.cc
> --- squid-3.1.10/src/client_side_reply.cc.http10 2010-12-22
> 06:46:56.000000000 +0100
> +++ squid-3.1.10/src/client_side_reply.cc 2012-06-29
> 13:05:50.535114802 +0200
> @@ -1447,7 +1447,10 @@ clientReplyContext::buildReplyHeader()
> hdr->delById(HDR_VIA);
> hdr->putStr(HDR_VIA, strVia.termedBuf());
> }
> - /* Signal keep-alive or close explicitly */
> + /* Signal keep-alive if needed */
> + if (!http->flags.accel && !http->flags.intercepted)
> + hdr->putStr(HDR_PROXY_CONNECTION,
> request->flags.proxy_keepalive ? "keep-alive" : "close");
> +
> hdr->putStr(HDR_CONNECTION, request->flags.proxy_keepalive ?
> "keep-alive" : "close");
>
> #if ADD_X_REQUEST_URI
> diff -up squid-3.1.10/src/http.cc.http10 squid-3.1.10/src/http.cc
> --- squid-3.1.10/src/http.cc.http10 2010-12-22 06:46:56.000000000
> +0100
> +++ squid-3.1.10/src/http.cc 2012-06-29 10:09:41.856239753 +0200
> @@ -1729,7 +1729,11 @@ HttpStateData::httpBuildRequestHeader(Ht
>
> /* maybe append Connection: keep-alive */
> if (flags.keepalive) {
> - hdr_out->putStr(HDR_CONNECTION, "keep-alive");
> + if (hdr_in->has(HDR_PROXY_CONNECTION)) {
> + hdr_out->putStr(HDR_PROXY_CONNECTION, "keep-alive");
> + } else {
> + hdr_out->putStr(HDR_CONNECTION, "keep-alive");
> + }
> }
>
> /* append Front-End-Https */
> diff -up squid-3.1.10/src/HttpHeaderTools.cc.http10
> squid-3.1.10/src/HttpHeaderTools.cc
> --- squid-3.1.10/src/HttpHeaderTools.cc.http10 2010-12-22
> 06:46:56.000000000 +0100
> +++ squid-3.1.10/src/HttpHeaderTools.cc 2012-06-29 10:09:41.857250002
> +0200
> @@ -148,15 +148,12 @@ httpHeaderHasConnDir(const HttpHeader *
> int res;
> /* what type of header do we have? */
>
> -#if HTTP_VIOLATIONS
> if (hdr->has(HDR_PROXY_CONNECTION))
> list = hdr->getList(HDR_PROXY_CONNECTION);
> + else if (hdr->has(HDR_CONNECTION))
> + list = hdr->getList(HDR_CONNECTION);
> else
> -#endif
> - if (hdr->has(HDR_CONNECTION))
> - list = hdr->getList(HDR_CONNECTION);
> - else
> - return 0;
> + return 0;
>
> res = strListIsMember(&list, directive, ',');
>
Received on Fri Jun 29 2012 - 23:52:32 MDT