RE: [SQU] OT: Does the wonderous NTLM auth module exist for Apach e?

I think this has been covered before in mails on this list (or maybe it
was squid dev.) Apologies if I bore anyone.

TCP 1 is standard.
TCP 2 should contain multiple requests. Please see me note about
upstream servers later on. If that doesn't apply let me know and I'll
give you some debug levels to use to find out what's going on.

The DC requests - here's the current solution:

Squid startup: start N helpers, each helper connects to the DC and gets
a challenge.
IE->Squid NTLM negotiate
Squid->next available helper #n NTLM Negotiate
helper->squid challenge.
Squid->IE challenge (and remember n)
IE->Squid Authenticate.
Squid - check the couple Challenge-Authenticate in it's in memory cache.
If a hit, serve the response. If a miss
Squid->helper #n Authenticate
Helper->DC Authenticate
DC->helper ok/err
helper->squid ok/err
squid - on err send 407 and restart.
squid - on ok add the challenge-authenticate couple to it's in memory
cache. If it's for an existing username, it gets linked to the existing
username.

So we ALWAYS talk to the DC when a request comes through that is not in
our in-memory cache. We can't choose the challenge (yet) so the
effectiveness of the cache is set by reducing the number of helpers an
increasing each helpers challenge timeout.

FWIW when I'm browsing heavily I see 30-40+ requests on each persistent
connection.
However if you have an upstream proxy, or upstream servers that don't
send a content-length header squid will always drop the connection
because HTTP/1.0 doesn't allow you to indicate when the content finishes
(other than the content-length header or dropping the connection).
HTTP/1.1 brought in chunked transfer encoding to fix this. Squid has
another development module on sourceforge that has that capability, and
no I haven't tried the two together yet :-]

Rob

> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> Sent: Thursday, 23 November 2000 9:20 AM
> To: 'squid users mailing list'
> Subject: Re: [SQU] OT: Does the wonderous NTLM auth module exist for
> Apach e?
>
>
> On Thu, Nov 23, 2000 at 09:10:38AM +1100, Robert Collins wrote:
> > Yup. HTTP/1.0 has a header keep-alive, which squid uses. You also
> > misconfigured ie - with squid ie should _always_ be
> configured "use http/1.1
> > through proxy servers" off - see the advanced tab.
>
> OK, I did that and it still doesn't make much difference. Now IE sends
> keepalive, but still a TCP session only does:
>
> TCP 1
> IE -> GET URL (with no auth)
> Squid -> Proxy auth required
>
> TCP 2
> IE -> GET URL (with auth)
> Squid -> Page returned
>
>
> I was expecting to see multiple URLs returned over "TCP 2". Also in a
> one-minute period, Squid still contacted the domain
> controller multiple
> times - I thought it only did it once and cached the results?
> [yes, this is
> a test Squid server with only one client]
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html