RE: [squid-users] Squid/NTLM and site timeouts

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Saturday, February 11, 2012 8:55 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Squid/NTLM and site timeouts

On 12/02/2012 2:30 a.m., Jason Gauthier wrote:
> All,
>
> I have a Squid and NTLM implementation. I've had one for years, and always have been pretty pleased with it. There has always been one quirk, and I've decided to ask about it in case there is a known solution.
>
> Typically, NTLM requires a back and forth of authentication. Whenever a site is very slow to respond, or down and times out, my browsers display an authentication prompt to the end user. I noticed this happens sometimes, even, after the full page is loaded, and an advertisement or some other element takes a long time to load.

>This behaviour sounds more like the slowness is being caused by NTLM itself being slow or failing. The domain lookups and connections do not even start to happen until NTLM >login to the proxy is already successfully completed.

>The prompt is a browser feature. Squid has nothing to do with it besides the coincidence that the browser may choose to do it whenever Squid asks for credentials. The modern >ones usually only try it after automatic logins like NTLM have been tried and failed.

You would think that is the case, but it's not. I can demonstrate this. I've created a PHP page that just loads text.
http://www.pendulus.org/loaddirect.php

Squid logs:
1329009688.461 0 192.168.71.117 TCP_DENIED/407 4051 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html
1329009688.552 1 192.168.71.117 TCP_DENIED/407 4308 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html
1329009688.822 187 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loaddirect.php jgauthier DIRECT/69.135.186.43 text/html

This worked exactly as expected.

I created one with a 30 second delay:
http://www.pendulus.org/loadshortpause.php

Squid logs:
1329010018.324 1 192.168.71.117 TCP_DENIED/407 4067 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html
1329010018.473 0 192.168.71.117 TCP_DENIED/407 4332 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html
1329010048.720 30194 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loadshortpause.php jgauthier DIRECT/69.135.186.43 text/html

Notice my username does not appear until *after* the 30 second pause that's inside the web page.

Lastly, I created one with a 300 second delay in it.
http://www.pendulus.org/loadpause.php

Squid logs:
1329009789.283 0 192.168.71.117 TCP_DENIED/407 4047 GET http://www.pendulus.org/loadpause.php - NONE/- text/html
1329009789.372 0 192.168.71.117 TCP_DENIED/407 4312 GET http://www.pendulus.org/loadpause.php - NONE/- text/html
1329009909.439 120024 192.168.71.117 TCP_MISS/000 0 GET http://www.pendulus.org/loadpause.php jgauthier DIRECT/69.135.186.43 -
1329009909.534 0 192.168.71.117 TCP_DENIED/407 4331 GET http://www.pendulus.org/loadpause.php - NONE/- text/html

At the point the second two log entries are created, the browser also prompted me for credentials again.
The gap in time is two minutes.
After two minutes, I am re-prompted from the browser, this is what I am describing. The situation I want to stop from occurring.

Thanks,

Jason
Received on Sun Feb 12 2012 - 01:34:17 MST