On 13/12/2013 8:50 p.m., Juergen Obermeyer wrote:
> Hi Amos!
>
> Thanks for your answer:
>
>>> After the first (successful) authentication, some milliseconds
>>> later the failure (same user!). Apparently, no authentication data
>>> is provided.
>>
>> Yes. Consider this: * two packets leave your gateway router. Which
>> comes from client_1 and which comes from some attacker spoofing
>> client_1 IP ?
>
> Ok, I see the problem. But:
>
>> Check whether you have client persistent connections enabled. When
>> that is working the client traffic will all be sent over connections
>> it already knows need authentication, so you should see far less 407
>> from the proxy.
>
> I found this in the Squid documentation:
>
> "By default, Squid uses persistent connections (when allowed) with its
> clients and servers. You can use these options to disable persistent
> connections with clients and/or servers."
>
> (http://www.squid-cache.org/Versions/v2/2.7/cfgman/client_persistent_connections.html)
>
2.7?
I've seen a fair few config with persistence disabled for various
reasons. Was not sure if you were in that group or not.
> Nevertheless, I added the line
>
> client_persistent_connections on
>
> to my squid.conf and reloaded Squid. Unfortunately, the number of 407
> messages in the log file didn't decrease ...
>
> But can you please tell me the meaning of "when allowed"? Is there
> anything to do at client side to allow persistent connections? Or elsewhere?
The client themselves can request Connection:close, or when
communicating unknown-length objects with HTTP/1.0 message syntax on
either end of the connection can require closing TCP.
If you do have a Squid older than 3.2 it is worth upgrading to avoid
that HTTP/1.0 problem.
Amos
Received on Fri Dec 13 2013 - 08:49:46 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 13 2013 - 12:00:04 MST