Re: [squid-users] Connection Pinning in 3.1.x

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 31 Jan 2011 22:09:27 +0000

On Mon, 31 Jan 2011 16:20:45 +1030, Michael Hendrie
<michael_at_hendrie.id.au>
wrote:
> Hello List,
>
> I need to use a version with connection pinning and was hoping to use
> 3.1.10 but I've run into a problem using a cache_peer that requires NTLM
> authentication. In my tests I'm able to get 3 authenticated requests
> through the parent (access.log on parent shows they have been
> authenticated) before the client starts to receive a pop-up to enter
> credentials. In the test, child and parent are on the same LAN segment
so
> there is nothing in between doing any port translations, etc.
>
> The relevant parts of my config:
>
> cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default
> login=PASS
> never_direct allow all
> persistent_connection_after_error on
>
> I have also tried adding "connection-auth=on" to both the cache_peer and
> http_port directives but this hasn't helped the situation.
>
> Testing with squid-2.7STABLE9 doesn't show the above issue, connection
> pinning seems to work perfectly to the parent proxy. I have also tried
> 3.1.9 and 3.1.8 in case it was something that was unexpectedly
introduced
> in the latest version but they fail also.
>
> I should point out that in my tests using 3.1.x talking to an origin
> server requiring NTLM works perfectly, only to a cache_peer fails.
>
> Does anyone have any ideas as to why this is failing, or a 3.1.x talking
> to an NTLM parent and if so could you please share your exact 3.1.x
version
> and relevant config.
>
> Thanks
> Mick

3.1.10 has one known situation. When the server replies with
unknown-length or chunked replies squid has no choice but to close the TCP
link at the end of the object transfer. Breaking NTLM pinning. This is very
common with dynamic content websites.

Other than that situation it should be working.

You can get a debug trace of the keep-alive actions with "debug_options
33,2 88,5" search for "clientReplyStatus:" and "clientBuildReplyHeader:"

Amos
Received on Mon Jan 31 2011 - 22:09:30 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST