Re: [squid-users] Problem with IE6 SP1 proxy authentication from Wim Ceulemans on 2003-04-10 (squid-users)

From: Wim Ceulemans <wim.ceulemans@dont-contact.us>
Date: Thu, 10 Apr 2003 13:41:15 +0200

Marc

Thanks for your reply.
The problem can indeed be solved by setting

client_persistent_connections off

in the squid.conf file.

Thanks and Regards
Wim

Marc Elsen wrote:

>Wim Ceulemans wrote:
>
>
>>Hi
>>
>>FYI I am using squid-2.4.STABLE7.
>>
>>I read all the archives about the IE6 SP1 problem not being able to
>>authenticate through squid. There definitely is a bug in IE6 SP1 that is
>>not present in IE5 and plain IE6. For a number of workstations I could
>>solve the problem by:
>>
>>1. Installing the MS critical updates Q810847 and Q813951
>>2. And by disabling the "Show friendly http error messages" in Tool -
>>Internet options - Advanced tab of IE6
>>
>>However on some windows XP clients the problem is not solved???
>>
>>Another thing I saw was that when I tried to authenticate with an XP
>>client not being able to authenticate with squid-2.4.STABLE7, it works
>>ok with squid-2.2.STABLE4. I recorded the authentication session of that
>>winXP client with the two different squids and this is the result
>>(captured with tcpdump and displayed with ethereal):
>>
>>A. Session with squid-2.4.STABLE7 (simplified a bit)
>>
>>Source Destination Protocol
>> Info
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [SYN]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [SYN, ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [ACK]
>>wc-winxp.able.be wc-test.able.be HTTP GET
>>http://www.google.be/ HTTP/1.0
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [ACK]
>>wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
>>407 Proxy Authentication Required
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [FIN, ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [ACK]
>>wc-winxp.able.be wc-test.able.be HTTP GET
>>http://www.google.be/ HTTP/1.0
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [RST]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [FIN, ACK]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [RST]
>>
>>B. Session with squid-2.2.STABLE4
>>
>>Source Destination Protocol
>> Info
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [SYN]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [SYN, ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [ACK]
>>wc-winxp.able.be wc-test.able.be HTTP GET
>>http://www.google.be/ HTTP/1.0
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [ACK]
>>wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
>>407 Proxy Authentication Required
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [FIN, ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [FIN, ACK]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [ACK]
>>wc-winxp.able.be wc-test.able.be HTTP GET
>>http://www.google.be/ HTTP/1.0
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [RST]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [FIN, ACK]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [RST]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [SYN]
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [SYN, ACK]
>>wc-winxp.able.be wc-test.able.be TCP 1066 >
>>3128 [ACK]
>>wc-winxp.able.be wc-test.able.be HTTP GET
>>http://www.google.be/ HTTP/1.0
>>wc-test.able.be wc-winxp.able.be TCP 3128 >
>>1066 [ACK]
>>wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
>>200 OK
>>
>>See the difference? By analyzing the headers of the swuid answer (what a
>>great tool ethereal is), is see only one difference:
>>
>>1. squid-2.4.STABLE7 gives a:
>> Proxy-Connection: Keep-Alive
>>2. squid-2.2.STABLE4 gives a:
>> Proxy-Connection: close
>>
>>That's why this IE bug does not happen with older versions of squid.
>>Does anyone know how to force squid-2.4.STABLE7 to close the connection
>>in stead of keeping it alive?
>>
>>
>
> Check
>
> client_persistent_connections
>
> in squid.conf (perhaps setting to 'off')
>
> This may help you, not sure though.
>
>
>>Also is this correct reasoning: after a proxy authentication the
>>connection should always be finished by the browser even if keep-alive
>>header is present? Or is this to be considered a bug in squid?
>>
>>
>
> I believe this is the reverse reasoning of attempting to consider
> issues and relating them to squid while they aren't.
> For improved tcp performance I would consider it normal to
> keep the conn. open also in this case.
>
> Considere the IE SP1 problems,also check :
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.12
>
> which you probably done already.
>
>
> You may also want to verify all of this issues
> against 2.5S2 which is the advised version of squid
> to run these days.
>
> Best Regards,
>
> M.
>
>
>
>
>
>>Thanks and regards
>>
>>--
>>Wim Ceulemans
>>R&D Engineer
>>
>>Secure Internet Communication with aXs Guard
>>
>>Able NV
>>Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
>>Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
>>E-mail: wim.ceulemans@able.be
>>
>>--
>>Security check done by aXs GUARD (http://www.axsguard.com)
>>
>>
>
>
>

-- 
Wim Ceulemans
R&D Engineer
Secure Internet Communication with aXs Guard
Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be
--
Security check done by aXs GUARD (http://www.axsguard.com)

Received on Thu Apr 10 2003 - 05:40:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:54 MST