RE: [squid-users] squid 2.7 with auth passthrough

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 Dec 2009 12:12:52 +1300

On Mon, 30 Nov 2009 13:38:17 +0100, <vincent.blondel_at_ing.be> wrote:
>> Hello,
>>
>> Can somebody say me if WWW-Authenticate header is really functional on
>> Squid 2.7.4 because I spent the whole day trying to help one business
>> user with his application and always receive 401 error code.

Yes the WWW-Authenticate header is functional. Squid by default simply
passes it from the receiving connection to the sending connection without
change.

The method of authentication using it may not be able to cope with
stateless HTTP behaviour.

>>
>> my proxy should reach the origin IIS server directly next to the
>> always_direct/never_direct definitions and this is what I see in the
>> logs. this does not work so I also made a special cache_peer
> definition
>> and tried with or without connection-auth=on, connection-auth=off .. I
>> also tried with login=PASS but nothing works ...
>>
>> so my question is .. Is that a normal behaviour ? Do I do something
>> wrong ? Do I have to do something else ?

Is the IIS server trying to do NTLM login across the web? This can be a
major headache.

NTLM and NTLM-like authentication assume end-to-end stateful connectivity.
This works okay when only stateful NAT or a hacked-up proxy is being used.
But fails if even one hop across the network is stateless.

For NTLM and Negotiate you need both cache_peer options
"connection-auth=on login=PASS"

Along with:
  client_persistent_connections on
  server_persistent_connections on

NP: if you added "no-connection-auth" to http_port it needs to be absent.

You may also want to raise the connection timeout
"persistent_request_timeout" but do so carefully, since each pconn held in
a locked state by NTLM is N less client connections usable in parallel.

Amos
Received on Mon Nov 30 2009 - 23:12:57 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 12:00:04 MST