Re: [squid-users] proxy_auth digest and multiple reverse proxies (siblings)

From: Deepak Rao <deepak.rao.257_at_gmail.com>
Date: Fri, 29 Jan 2010 10:00:41 +0530

On Thu, Jan 28, 2010 at 12:39 AM, Luis Daniel Lucio Quiroz
<luis.daniel.lucio_at_gmail.com> wrote:
> Le Mercredi 27 Janvier 2010 12:05:32, Deepak Rao a écrit :
>> Hi,
>>
>> I have a squid setup requirement in my project for which I could not
>> find an answer. Any pointers will be helpful...
>>
>> The setup is as follows: I have multiple reverse proxies serving web
>> pages to clients. A load balancer front-ends the reverse proxies. The
>> reverse proxies can be configured as siblings.
>>
>> The client requests contain HTTP Digest headers and needs to be
>> authenticated at my server side (using proxy_auth?) The requests from
>> a client can be served by any of the reverse proxies & no state is
>> maintained on the server. Stickiness is also not possible.
>>
>> The issue is:
>> When the first request (REQ1) comes from client 1, server responds
>> back with 401 Unauthorized (WWW-Authenticate) and sets a nonce value
>> (N1) [all this is handled by the reverse proxy itself]
>>
>> Now when the client 1 sends the request (REQ1) again with all the
>> digest headers (using nonce N1), this request is received by another
>> reverse proxy. For this reverse proxy, the nonce N1 is unknown and
>> hence it returns again 401 Unauthorized as response with stale=true
>> for the nonce N1! Thus the request is never getting served rightly
>>
>> How do I handle this scenario? Is there a way to make all reverse
>> proxies share the same nonce pool?
>>
>> Any other alternatives for my requirement is also welcome.
>>
>> Thanks,
>> Deepak
>
>
> Easygoing, if you are using digest auth, use some persistency in your balances
> et voila! you are done.  dont use RoundRobin,
>

yes that would be the best way. Unfortunately, the servers are hosted
on third party infrastructure and their load balancer does not provide
any stickiness. The laod balancer just uses round-robin to pass
requests to various reverse-proxies.
Received on Fri Jan 29 2010 - 04:30:49 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 29 2010 - 12:00:05 MST