Re: [squid-users] Authentication problem/oddity/ignorance

From: Rob Asher <rasher_at_paragould.k12.ar.us>
Date: Thu, 29 May 2008 08:18:33 -0500

>>> Chris Robertson <crobertson_at_gci.net> 5/28/2008 5:03 PM >>>
> Proxies. Plural. How are you spreading the traffic among the proxies.
> A number of authentication requiring websites associate login
> credentials with a source IP. Using a round robin load balancer
> (without source NATing the outgoing requests from the multiple proxies)
> can cause issues with such sites. As well, using authentication on a
> intercepting (also called a transparent) proxy can cause issues such as
> this.

The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server.

> TCP_MISS/401 indicates the website returned a "Not Authorized" response,
> which should cause your browser to prompt for authentication.

With IE7, I get one prompt and then the "cannot display the webpage" message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.

> Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that
> succeeded were cached content (TCP_MISS/304, with a parent of NONE).
> So, from the evidence given, the machine that is "working" only appears
> to be working because it is able to wrest a response from the cache that
> allows it to use its locally cached copy...

OK.....here's another bit from access.log with the TCP_MISS/200 from the "working" machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.

[root_at_phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
1212065905.682 182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.714 699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html
1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
1212065933.702 855 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher DIRECT/165.29.214.2 text/html
1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html
1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf
1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html
1212065962.164 212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
1212065962.661 400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges

If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well?

Thanks,
Rob

-- 
This message has been scanned for viruses and dangerous content by The MailScanner at the Paragould School District, http://paragould.k12.ar.us, and is believed to be clean.
-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169
Received on Thu May 29 2008 - 13:19:03 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT