Julio Cesar Gazquez wrote:
> Hi.
>
> We are starting to deploy digest based authentication on a large network, and
> we found a weird problem: Sometimes authenticated requests are answered by
> TCP_DENIED/407 responses.
>
> Below is a sample from the access log:
>
> 1209559977.471 252 192.168.2.223 TCP_MISS/200 801 GET
> http://www.deautos.com/img/top02.gif lboullo0 FIRST_UP_PARENT/localhost
> image/gif
> 1209559977.640 67 192.168.2.223 TCP_MISS/200 9208 GET
> http://www.deautos.com/img/tmp/img_comprar.jpg lboullo0
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.647 50 192.168.2.223 TCP_MISS/200 9565 GET
> http://www.deautos.com/img/tmp/img_vender.jpg lboullo0
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.656 77 192.168.2.223 TCP_MISS/200 5629 GET
> http://www.deautos.com/img/tmp/txt_comprar.jpg lboullo0
> FIRST_UP_PARENT/localhost image/jpeg
> 1209559977.657 63 192.168.2.223 TCP_MISS/200 655 GET
> http://www.deautos.com/img/img_flechita.gif lboullo0
> FIRST_UP_PARENT/localhost image/gif
> 1209559978.080 2 192.168.2.223 TCP_DENIED/407 2765 GET
> http://www.deautos.com/img/img_flechita_blink.gif
> lboullo0 NONE/- text/html
> 1209559978.163 87 192.168.2.223 TCP_MISS/200 2772 GET
> http://www.deautos.com/img/img_vender02.gif lboullo0
> FIRST_UP_PARENT/localhost image/gif
> 1209559978.219 97 192.168.2.223 TCP_MISS/200 707 GET
> http://www.deautos.com/img/img_flechita_blink.gif lboullo0
> FIRST_UP_PARENT/localhost image/gif
>
> As you can see, the user is happily sending authenticated requests, yet at one
> point it receives a 407 response.
>
> We are not really sure, but this doesn't seem ok. Worst of all, in certain
> cases seems to be the cause of IE7 asking authentication again.
Asking the user for authentication would be a natural side-effect of not
having it and being asked to provide it.
> We tried everything we were able of: Raising the auth children limit,
> disabling Dansguardian, and googled around with no luck. Below is the auth
> configuration.
1) Have you tried the auth TTL settings.
2) are you certain that this is not simply a case of long-ago provided
credentials timing out in IE?
>
> =====snip====
> auth_param digest program /usr/lib/squid/digest_ldap_auth
> -b ou=People,ou=proxy,ou=Servers,o=MCR -u uid
> -A l -D cn=nss,o=MCR -w xxxxxxxxx -e -v 3 -h ldap.pm.rosario.gov.ar
>
> auth_param digest realm Clave Navegacion Internet
> auth_param digest children 10
> =====snip====
>
-- Please use Squid 2.6.STABLE19 or 3.0.STABLE4Received on Thu May 01 2008 - 09:07:55 MDT
This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:02 MDT
