[squid-users] Question about "proxy_auth REQUIRED" and the case of flushing the authentication-cache

From: Tom Tom <tomtux007_at_gmail.com>
Date: Thu, 21 Feb 2013 09:47:26 +0100

Hi

With squid 3.2.7, I have the following curiosity:

SCENARIO 1
<<squid.conf>>
acl AUTHENTICATED proxy_auth REQUIRED
external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=20
children-startup=5 children-idle=1 negative_ttl=7200 %LOGIN
/usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "XXX"
acl INTERNET_ACCESS external SQUID_KERB_LDAP
...
...
http_access deny !INTERNET_ACCESS
http_access deny !AUTHENTICATED
http_access allow INTERNET_ACCESS AUTHENTICATED
http_access deny all

With the config above, I have the following lines in the access.log:
[Thu Feb 21 06:56:45 2013].167 38 XXX TCP_REFRESH_UNMODIFIED/304
332 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER
FIRSTUP_PARENT/XXX image/gif
[Thu Feb 21 06:57:04 2013].621 38 XXX TCP_REFRESH_UNMODIFIED/304
261 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER
FIRSTUP_PARENT/XXX image/gif

----------------------------------------------------

SCENARIO 2
<<squid.conf (without proxy_auth REQUIRED)>>
external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=20
children-startup=5 children-idle=1 negative_ttl=7200 %LOGIN
/usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "XXX"
acl INTERNET_ACCESS external SQUID_KERB_LDAP
...
...
http_access deny !INTERNET_ACCESS
http_access allow INTERNET_ACCESS
http_access deny all

Now, the same request looks like this:
[Thu Feb 21 06:55:59 2013].086 0 XXX TCP_DENIED/407 4153 GET
http://imagesrv.adition.com/banners/750/683036/dummy.gif - HIER_NONE/-
text/html
[Thu Feb 21 06:55:59 2013].135 44 XXX TCP_REFRESH_UNMODIFIED/304
332 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif USER
FIRSTUP_PARENT/XXX image/gif

A tcpdump shows, that the "authorization"-header is not sent in the
first request. In scenario 2, the authorization-header is sent after
the TCP_DENIED/407 response from squid (normal behavior). In scenario
1, squid response directly with 304.

What is the influence of "AUTHENTICATED" in the first example, not to
re-authenticate the request? Why does squid needs to re-authenticate
(TCP_DENIED/407) without the "AUTHENTICATED" tag in the "http_access"
line (Scenario 2)? Is it possible, that with the "AUTHENTICATED" tag
squid uses the authentication-cache? And without the "AUTHENTICATED"
tag, squid will not use the authentication-cache or flushes the
cache-entry for every request?

I have other squids running (3.1.20), which are configured like
scenario 2, but behaves like scenario 1. Why does squid 3.1.20 act
different as 3.2.7?

With "debug_options 29,9" (see below) in squid 3.2.7, I see that in
the "wrong case" (without the AUTHENTICATED tag on the http_access
line), squid is "freeing request 0x1646830". When I request the same
file again, then squid response first with a "TCP_DENIED/407". Does
the "freeing" means, that squid "flushes" his authentication-cache and
therefore need to re-authenticate this request everytime?
2013/02/21 08:43:58.583 kid1| UserRequest.cc(506) addReplyAuthHeader:
headertype:76 authuser:0x1646830*3
2013/02/21 08:43:58.583 kid1| UserRequest.cc(126) releaseAuthServer:
No Negotiate auth server to release.
2013/02/21 08:43:58.583 kid1| UserRequest.cc(125) ~UserRequest:
freeing request 0x1646830

I can also see, that in the wrong case (re-authenticate), squid
flushes his cache and make for the same request a new entry with a new
TTL:
$ squidclient mgr:username_cache
HTTP/1.1 200 OK
Server: squid
Mime-Version: 1.0
Date: Thu, 21 Feb 2013 08:36:14 GMT
Content-Type: text/plain
Expires: Thu, 21 Feb 2013 08:36:14 GMT
Last-Modified: Thu, 21 Feb 2013 08:36:14 GMT
X-Cache: MISS from XXX
Via: 1.1 XXX (squid)
Connection: close

Cached Usernames: 1 of 7921
Next Garbage Collection in 35 seconds.

Type State Check TTL Cache TTL Username
--------------- --------- --------- --------- ------------------------------
AUTH_NEGOTIATE Ok -1 3600 USER

In the "good case", squid does not throw away the cache-entry and the
TTL is decrementing (even after I make new requests) -> expected
behavior.

So, why does squid flushes the authentication-cache for every request,
when I use "http_access allow INTERNET_ACCESS" (without the tag
AUTHENTICATED)? And why does squid 3.1.20 behaves different? Probably
a bug?

Any explanations/hints for this behavior? Many many thanks.
Tom
Received on Thu Feb 21 2013 - 08:47:36 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST