Re: [squid-users] Connection Pinning in 3.1.x

On 01/02/2011, at 8:39 AM, Amos Jeffries wrote:

> On Mon, 31 Jan 2011 16:20:45 +1030, Michael Hendrie
> <michael_at_hendrie.id.au>
> wrote:
>> Hello List,
>>
>> I need to use a version with connection pinning and was hoping to use
>> 3.1.10 but I've run into a problem using a cache_peer that requires NTLM
>> authentication. In my tests I'm able to get 3 authenticated requests
>> through the parent (access.log on parent shows they have been
>> authenticated) before the client starts to receive a pop-up to enter
>> credentials. In the test, child and parent are on the same LAN segment
> so
>> there is nothing in between doing any port translations, etc.
>>
>> The relevant parts of my config:
>>
>> cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default
>> login=PASS
>> never_direct allow all
>> persistent_connection_after_error on
>>
>> I have also tried adding "connection-auth=on" to both the cache_peer and
>> http_port directives but this hasn't helped the situation.
>>
>> Testing with squid-2.7STABLE9 doesn't show the above issue, connection
>> pinning seems to work perfectly to the parent proxy. I have also tried
>> 3.1.9 and 3.1.8 in case it was something that was unexpectedly
> introduced
>> in the latest version but they fail also.
>>
>> I should point out that in my tests using 3.1.x talking to an origin
>> server requiring NTLM works perfectly, only to a cache_peer fails.
>>
>> Does anyone have any ideas as to why this is failing, or a 3.1.x talking
>> to an NTLM parent and if so could you please share your exact 3.1.x
> version
>> and relevant config.
>>
>> Thanks
>> Mick
>
> 3.1.10 has one known situation. When the server replies with
> unknown-length or chunked replies squid has no choice but to close the TCP
> link at the end of the object transfer. Breaking NTLM pinning. This is very
> common with dynamic content websites.
>
> Other than that situation it should be working.
>
> You can get a debug trace of the keep-alive actions with "debug_options
> 33,2 88,5" search for "clientReplyStatus:" and "clientBuildReplyHeader:"
>
So I tested with these debug options and while there was a lot of data, nothing seemed to jump out the log at me so Wireshark time and what I see is for the failed requests, it seems 3.1.x is not correctly setting the "Connection" or "Proxy Connection" header on the request carrying the type 1 message (NTLMSSP_NEGOTIATE) which is needed for NTLM connection pin to function, examples are as follows:

Client Request -> Child (squid-3.1.10)

GET http://www.google.com.au/images/cb_r.gif HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com.au/
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

Child Request (squid-3.1.10) -> Parent (squid-3.0.STABLE19)

GET http://www.google.com.au/images/cb_r.gif HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: http://www.google.com.au/
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
Via: 1.1 3110-child (squid/3.1.10)
X-Forwarded-For: unknown
Cache-Control: max-age=259200

On the return, 3.1.10 is also not setting Connection/Proxy-Connection: close as it should:

Parent Response (squid-3.0.STABLE19) -> Child (squid-3.1.10) (I believe this 407 contain only BASIC offering now because the request didn't have a keep alive set, the first time the request got 407'd it contained both NTLM and BASIC hence the client tried with NTLM)

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE19
Mime-Version: 1.0
Date: Tue, 01 Feb 2011 13:36:30 GMT
Content-Type: text/html
Content-Length: 2517
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Basic realm="BASIC"
X-Cache: MISS from parent
Via: 1.0 parent (squid/3.0.STABLE19)
Proxy-Connection: close

Child (squid-3.1.10) Response -> Client

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE19
Mime-Version: 1.0
Date: Tue, 01 Feb 2011 13:36:30 GMT
Content-Type: text/html
Content-Length: 2517
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Basic realm="BASIC"
X-Cache: MISS from parent
X-Cache: MISS from 3110-child
Via: 1.0 parent (squid/3.0.STABLE19), 1.0 3110-child (squid/3.1.10)
Connection: keep-alive

Any idea why this would be occurring?

> Amos
>
Received on Tue Feb 01 2011 - 14:03:45 MST