Hi Henrik,
Thanks once again for all your help so far. Unfortunately, we can't get
this working in Squid 2.6.STABLE7. We have the following line in
squid.conf:
cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS
connection-auth=on
(I appreciate the connection-auth bit should be unnecessary, but we
added it to remove one possible source of problems).
My squid.conf does not contain anything about persistent connections.
However, I note that Squid appends a "Proxy-Connection: close" to the
NTLM challenge returned by the ISA server. This seems to cause the user
agent (curl, in our tests, but IE also doesn't work) to close the
connection and then start the entire process again.
I've attached debugging output from curl for both a direct connection to
the ISA server and a connection through Squid to the bottom of this
message. Packet sniffing shows that the communication between squid and
the ISA server exactly mirrors the communication between the user agent
and squid.
In general, our experience with Squid is that it tends to close the
connection with the browser surprisingly frequently, particularly
immediately after the very first request from any browser.
Any ideas?
Thanks a lot for any (further) help.
Steffan
Henrik Nordstrom wrote:
> tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:
>
>
>> I've had a look at the cache_peer directive in the Squid 3.0 manual (not
>> at work, so can't try it). It looks to me like we would probably need
>> "login=PASS" - except that the 3.0 manual specifically says that this
>> only works with basic authentication.
>>
>
> Well.. 2.6 is not 3.0 and some things differ.
>
> 3.0.PRE3 (what the Visolve "3.0" manual documents) does not have support
> for NTLM passthrough. 2.6 does.
>
> Regards
> Henrik
>
--------------------------------------------------------------------------------------------------------------------------------
Direct connection to our test ISA server:
curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
192.168.4.166:8080 http://iflsupdc01/test.htm
* About to connect() to 192.168.4.166 port 8080
* Trying 192.168.4.166... * connected
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
< Via: 1.1 IFLISA2
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Connection #0 to host 192.168.4.166 left intact
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* Re-using existing connection! (#0) with host 192.168.4.166
* Connected to 192.168.4.166 (192.168.4.166) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.1 200 OK
< Via: 1.1 IFLISA2
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Content-Length: 1502
< Date: Wed, 17 Jan 2007 23:01:33 GMT
< Content-Type: text/html
< ETag: "d0f625b16d3ac71:1bb"
< Server: Microsoft-IIS/6.0
< Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
< Accept-Ranges: bytes
100 1502 100 1502 0 0 96940 0 --:--:-- --:--:--
--:--:-- 97k
* Connection #0 to host 192.168.4.166 left intact
* Closing connection #0
--------------------------------------------------------------------------------------------------------------------------------
Connection through Squid to our test ISA server:
curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
127.0.0.1:8080 http://iflsupdc01/test.htm
* About to connect() to localhost port 8080
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Closing connection #0
* Issue another request to this URL: 'http://iflsupdc01/test.htm'
* About to connect() to localhost port 8080
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8080
* Proxy auth using NTLM with user 'fbloggs'
> GET http://iflsupdc01/test.htm HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: iflsupdc01
Pragma: no-cache
Accept: */*
< HTTP/1.0 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
< X-Cache: MISS from RMSmartCache2
< Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
< Proxy-Connection: close
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
* Closing connection #0
[...repeated many times...]
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed
Received on Wed Jan 17 2007 - 08:38:22 MST
This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST