[squid-users] Squid sends TCP_DENIED/407 even on already authenticated users

From: Julio Cesar Gazquez <jgazque0@dont-contact.us>
Date: Wed, 30 Apr 2008 13:29:59 -0300


We are starting to deploy digest based authentication on a large network, and
we found a weird problem: Sometimes authenticated requests are answered by
TCP_DENIED/407 responses.

Below is a sample from the access log:

1209559977.471 252 TCP_MISS/200 801 GET
http://www.deautos.com/img/top02.gif lboullo0 FIRST_UP_PARENT/localhost
1209559977.640 67 TCP_MISS/200 9208 GET
http://www.deautos.com/img/tmp/img_comprar.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.647 50 TCP_MISS/200 9565 GET
http://www.deautos.com/img/tmp/img_vender.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.656 77 TCP_MISS/200 5629 GET
http://www.deautos.com/img/tmp/txt_comprar.jpg lboullo0
FIRST_UP_PARENT/localhost image/jpeg
1209559977.657 63 TCP_MISS/200 655 GET
http://www.deautos.com/img/img_flechita.gif lboullo0
FIRST_UP_PARENT/localhost image/gif
1209559978.080 2 TCP_DENIED/407 2765 GET
lboullo0 NONE/- text/html
1209559978.163 87 TCP_MISS/200 2772 GET
http://www.deautos.com/img/img_vender02.gif lboullo0
 FIRST_UP_PARENT/localhost image/gif
1209559978.219 97 TCP_MISS/200 707 GET
http://www.deautos.com/img/img_flechita_blink.gif lboullo0
FIRST_UP_PARENT/localhost image/gif

As you can see, the user is happily sending authenticated requests, yet at one
point it receives a 407 response.

We are not really sure, but this doesn't seem ok. Worst of all, in certain
cases seems to be the cause of IE7 asking authentication again.

We tried everything we were able of: Raising the auth children limit,
disabling Dansguardian, and googled around with no luck. Below is the auth

auth_param digest program /usr/lib/squid/digest_ldap_auth
  -b ou=People,ou=proxy,ou=Servers,o=MCR -u uid
  -A l -D cn=nss,o=MCR -w xxxxxxxxx -e -v 3 -h ldap.pm.rosario.gov.ar

auth_param digest realm Clave Navegacion Internet
auth_param digest children 10

Julio César Gázquez
Area Seguridad Informática -- Int. 736
Municipalidad de Rosario
Received on Wed Apr 30 2008 - 16:30:28 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT