[squid-users] Squid sends TCP_DENIED/407 even on already authenticated users from Julio Cesar Gazquez on 2008-04-30 (squid-users)

From: Julio Cesar Gazquez <jgazque0@dont-contact.us>
Date: Wed, 30 Apr 2008 13:29:59 -0300

Hi.

We are starting to deploy digest based authentication on a large network, and
we found a weird problem: Sometimes authenticated requests are answered by
TCP_DENIED/407 responses.

Below is a sample from the access log:

1209559977.471 252 192.168.2.223 TCP_MISS/200 801 GET
http://www.deautos.com/img/top02.gif lboullo0 FIRST_UP_PARENT/localhost
image/gif
1209559977.640 67 192.168.2.223 TCP_MISS/200 9208 GET
http://www.deautos.com/img/tmp/img_comprar.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.647 50 192.168.2.223 TCP_MISS/200 9565 GET
http://www.deautos.com/img/tmp/img_vender.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.656 77 192.168.2.223 TCP_MISS/200 5629 GET
http://www.deautos.com/img/tmp/txt_comprar.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.657 63 192.168.2.223 TCP_MISS/200 655 GET
http://www.deautos.com/img/img_flechita.gif lboullo0
FIRST_UP_PARENT/localhost image/gif
1209559978.080 2 192.168.2.223 TCP_DENIED/407 2765 GET
http://www.deautos.com/img/img_flechita_blink.gif
lboullo0 NONE/- text/html
1209559978.163 87 192.168.2.223 TCP_MISS/200 2772 GET
http://www.deautos.com/img/img_vender02.gif lboullo0
FIRST_UP_PARENT/localhost image/gif
1209559978.219 97 192.168.2.223 TCP_MISS/200 707 GET
http://www.deautos.com/img/img_flechita_blink.gif lboullo0
FIRST_UP_PARENT/localhost image/gif

As you can see, the user is happily sending authenticated requests, yet at one
point it receives a 407 response.

We are not really sure, but this doesn't seem ok. Worst of all, in certain
cases seems to be the cause of IE7 asking authentication again.

We tried everything we were able of: Raising the auth children limit,
disabling Dansguardian, and googled around with no luck. Below is the auth
configuration.

=====snip====
auth_param digest program /usr/lib/squid/digest_ldap_auth
-b ou=People,ou=proxy,ou=Servers,o=MCR -u uid
-A l -D cn=nss,o=MCR -w xxxxxxxxx -e -v 3 -h ldap.pm.rosario.gov.ar

auth_param digest realm Clave Navegacion Internet
auth_param digest children 10
=====snip====

-- 
Julio César Gázquez
Area Seguridad Informática -- Int. 736
Municipalidad de Rosario

Received on Wed Apr 30 2008 - 16:30:28 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT