Re: [squid-users] Squid and NTLM passthrough

To answer my own question, I needed:

persistent_connection_after_error on

in squid.config.

A suggestion for the next version of squid would be to change the
documentation for persistent_connection_after_error (in
squid.config.default). The current version says:

# TAG: persistent_connection_after_error
# With this directive the use of persistent connections after
# HTTP errors can be disabled. Useful if you have clients
# who fail to handle errors on persistent connections proper.

It would be clearer if it said "can be enabled".

Regards, and thanks once again for your help.

Steffan

Steffan Corley wrote:
> Just for further information, we have tried adding the headers
> "Connection: keep-alive" and "Proxy-Connection: keep-alive" to the
> http request with exactly the same results (e.g. curl -H "Connection:
> keep-alive" ...).
>
> Steffan
>
> Steffan Corley wrote:
>> Hi Henrik,
>>
>> Thanks once again for all your help so far. Unfortunately, we can't
>> get this working in Squid 2.6.STABLE7. We have the following line in
>> squid.conf:
>>
>> cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS
>> connection-auth=on
>> (I appreciate the connection-auth bit should be unnecessary, but we
>> added it to remove one possible source of problems).
>>
>> My squid.conf does not contain anything about persistent
>> connections. However, I note that Squid appends a "Proxy-Connection:
>> close" to the NTLM challenge returned by the ISA server. This seems
>> to cause the user agent (curl, in our tests, but IE also doesn't
>> work) to close the connection and then start the entire process again.
>>
>> I've attached debugging output from curl for both a direct connection
>> to the ISA server and a connection through Squid to the bottom of
>> this message. Packet sniffing shows that the communication between
>> squid and the ISA server exactly mirrors the communication between
>> the user agent and squid.
>>
>> In general, our experience with Squid is that it tends to close the
>> connection with the browser surprisingly frequently, particularly
>> immediately after the very first request from any browser.
>>
>> Any ideas?
>>
>> Thanks a lot for any (further) help.
>>
>> Steffan
>>
>> Henrik Nordstrom wrote:
>>> tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:
>>>
>>>
>>>> I've had a look at the cache_peer directive in the Squid 3.0 manual
>>>> (not at work, so can't try it). It looks to me like we would
>>>> probably need "login=PASS" - except that the 3.0 manual
>>>> specifically says that this only works with basic authentication.
>>>>
>>>
>>> Well.. 2.6 is not 3.0 and some things differ.
>>>
>>> 3.0.PRE3 (what the Visolve "3.0" manual documents) does not have
>>> support
>>> for NTLM passthrough. 2.6 does.
>>>
>>> Regards
>>> Henrik
>>>
>> --------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> Direct connection to our test ISA server:
>>
>> curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
>> 192.168.4.166:8080 http://iflsupdc01/test.htm
>>
>> * About to connect() to 192.168.4.166 port 8080
>> * Trying 192.168.4.166... * connected
>> * Connected to 192.168.4.166 (192.168.4.166) port 8080
>> * Proxy auth using NTLM with user 'fbloggs'
>> > GET http://iflsupdc01/test.htm HTTP/1.1
>> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
>> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
>> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
>> Host: iflsupdc01
>> Pragma: no-cache
>> Accept: */*
>>
>> < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
>> < Via: 1.1 IFLISA2
>> < Proxy-Authenticate: NTLM
>> TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>>
>> < Connection: Keep-Alive
>> < Proxy-Connection: Keep-Alive
>> < Pragma: no-cache
>> < Cache-Control: no-cache
>> < Content-Type: text/html
>> < Content-Length: 0 % Total % Received % Xferd Average
>> Speed Time Time Time Current
>> Dload Upload Total Spent
>> Left Speed
>>
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0
>> * Connection #0 to host 192.168.4.166 left intact
>> * Issue another request to this URL: 'http://iflsupdc01/test.htm'
>> * Re-using existing connection! (#0) with host 192.168.4.166
>> * Connected to 192.168.4.166 (192.168.4.166) port 8080
>> * Proxy auth using NTLM with user 'fbloggs'
>> > GET http://iflsupdc01/test.htm HTTP/1.1
>> Proxy-Authorization: NTLM
>> TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo=
>>
>> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
>> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
>> Host: iflsupdc01
>> Pragma: no-cache
>> Accept: */*
>>
>> < HTTP/1.1 200 OK
>> < Via: 1.1 IFLISA2
>> < Connection: Keep-Alive
>> < Proxy-Connection: Keep-Alive
>> < Content-Length: 1502
>> < Date: Wed, 17 Jan 2007 23:01:33 GMT
>> < Content-Type: text/html
>> < ETag: "d0f625b16d3ac71:1bb"
>> < Server: Microsoft-IIS/6.0
>> < Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
>> < Accept-Ranges: bytes
>>
>> 100 1502 100 1502 0 0 96940 0 --:--:-- --:--:--
>> --:--:-- 97k
>> * Connection #0 to host 192.168.4.166 left intact
>> * Closing connection #0
>>
>> --------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> Connection through Squid to our test ISA server:
>>
>> curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
>> 127.0.0.1:8080 http://iflsupdc01/test.htm
>>
>> * About to connect() to localhost port 8080
>> * Trying 127.0.0.1... * connected
>> * Connected to localhost (127.0.0.1) port 8080
>> * Proxy auth using NTLM with user 'fbloggs'
>> > GET http://iflsupdc01/test.htm HTTP/1.1
>> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
>> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
>> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
>> Host: iflsupdc01
>> Pragma: no-cache
>> Accept: */*
>>
>> < HTTP/1.0 407 Proxy Authentication Required
>> < Proxy-Authenticate: NTLM
>> TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>>
>> < Pragma: no-cache
>> < Cache-Control: no-cache
>> < Content-Type: text/html
>> < Content-Length: 0
>> < X-Cache: MISS from RMSmartCache2
>> < Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
>> < Proxy-Connection: close
>> % Total % Received % Xferd Average Speed Time Time
>> Time Current
>> Dload Upload Total Spent
>> Left Speed
>>
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0
>> * Closing connection #0
>> * Issue another request to this URL: 'http://iflsupdc01/test.htm'
>> * About to connect() to localhost port 8080
>> * Trying 127.0.0.1... * connected
>> * Connected to localhost (127.0.0.1) port 8080
>> * Proxy auth using NTLM with user 'fbloggs'
>> > GET http://iflsupdc01/test.htm HTTP/1.1
>> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
>> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
>> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
>> Host: iflsupdc01
>> Pragma: no-cache
>> Accept: */*
>>
>> < HTTP/1.0 407 Proxy Authentication Required
>> < Proxy-Authenticate: NTLM
>> TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>>
>> < Pragma: no-cache
>> < Cache-Control: no-cache
>> < Content-Type: text/html
>> < Content-Length: 0
>> < X-Cache: MISS from RMSmartCache2
>> < Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
>> < Proxy-Connection: close
>>
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
>> --:--:-- 0
>> * Closing connection #0
>> [...repeated many times...]
>> * Maximum (50) redirects followed
>> curl: (47) Maximum (50) redirects followed
>>
>>
>
>
Received on Wed Jan 17 2007 - 10:26:32 MST