Re: [squid-users] Connection pinning (NTLM pass through)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 27 May 2012 23:22:05 +1200

On 26/05/2012 8:31 a.m., Petter Abrahamsson wrote:
> Hi,
>
> I'm trying to get NTLM pass through to work with squid 3.1.19. I have
> followed the instructions found on the wiki[1] on connection pinning
> but I just keep receiving 401 status messages.
> Below is the very simple squid.conf that I'm using for this test.
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 8080 connection-auth=on
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> And below is the corresponding access.log entries with obfuscated ip
> addresses and host names.
>
> 1337976537.852 63 192.168.12.214 TCP_MISS/401 466 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976550.714 29 192.168.12.214 TCP_MISS/401 1074 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976551.025 57 192.168.12.214 TCP_MISS/401 466 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976554.627 57 192.168.12.214 TCP_MISS/401 1074 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976558.006 3128 192.168.12.214 TCP_MISS/401 466 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976559.462 59 192.168.12.214 TCP_MISS/401 1074 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
> 1337976559.760 56 192.168.12.214 TCP_MISS/401 466 GET
> http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
>
> I feel like I'm missing something obvious since the instructions on
> the wiki are quite simple.
> When I try the same website through a v2.7 squid it lets me login.
> Let me know if any other information is needed.
> Any help would be very much appreciated.

Check the HTTP headers at each point before/after Squid for keep-alive.
There is something a little strange going on with HTTP/1.1 connections
to servers and NTLM keep-alive in 3.1.19. If you are able to do some
code digging that would help as well.

Amos
Received on Sun May 27 2012 - 11:22:17 MDT

This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT