RE: [squid-users] squid 2.7 with auth passthrough

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 Dec 2009 12:18:20 +1300

On Tue, 01 Dec 2009 12:12:52 +1300, Amos Jeffries <squid3_at_treenet.co.nz>
wrote:
> On Mon, 30 Nov 2009 13:38:17 +0100, <vincent.blondel_at_ing.be> wrote:
>>> Hello,
>>>
>>> Can somebody say me if WWW-Authenticate header is really functional on
>>> Squid 2.7.4 because I spent the whole day trying to help one business
>>> user with his application and always receive 401 error code.
>
> Yes the WWW-Authenticate header is functional. Squid by default simply
> passes it from the receiving connection to the sending connection
without
> change.
>
> The method of authentication using it may not be able to cope with
> stateless HTTP behaviour.
>
>>>
>>> my proxy should reach the origin IIS server directly next to the
>>> always_direct/never_direct definitions and this is what I see in the
>>> logs. this does not work so I also made a special cache_peer
>> definition
>>> and tried with or without connection-auth=on, connection-auth=off .. I
>>> also tried with login=PASS but nothing works ...
>>>
>>> so my question is .. Is that a normal behaviour ? Do I do something
>>> wrong ? Do I have to do something else ?
>
> Is the IIS server trying to do NTLM login across the web? This can be a
> major headache.
>
> NTLM and NTLM-like authentication assume end-to-end stateful
connectivity.
> This works okay when only stateful NAT or a hacked-up proxy is being
used.
> But fails if even one hop across the network is stateless.
>
> For NTLM and Negotiate you need both cache_peer options
> "connection-auth=on login=PASS"

Nearly forgot: If regular proxy authentication is also being used the
"originserver" setting cannot be used with NTLM cache_peer pass-thru.

>
> Along with:
> client_persistent_connections on
> server_persistent_connections on
>
> NP: if you added "no-connection-auth" to http_port it needs to be
absent.
>
> You may also want to raise the connection timeout
> "persistent_request_timeout" but do so carefully, since each pconn held
in
> a locked state by NTLM is N less client connections usable in parallel.
>

Amos
Received on Mon Nov 30 2009 - 23:18:23 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 12:00:04 MST