auth_param ntlm keep_alive interaction with new http/1.1 keepalive behaviour

From: Stephen Thorne <stephen_at_thorne.id.au>
Date: Mon, 23 Aug 2010 18:05:29 +1000

G'day,

Today I had a report of a problem seen with a late version of 3.1.6 + http/1.1,
chunked response and keepalive patches. The problem occurs in the following
situation.

Laptop is on domain ONE, user bob.
Proxy is on domain TWO, and accepts user alice.

What happens with an older version of squid (with no auth_param ntlm keep_alive
line in the config) is this:

> GET
< 407, NTLM
> GET, NTLM hash
< 407, NTLM hash
> GET, NTLM hash for ONE/bob
*** < 407 NTLM, Proxy-Connection: Close
*** (connection torn down and re-established at this point)
> GET
< 407, NTLM
> GET, NTLM hash
< 407, NTLM hash
> GET, NTLM hash for TWO/alice
< 200 OK

What happens with newer code that does http/1.1 with more aggresive keep-alive:

> GET
< 407 NTLM
> GET, NTLM hash
< 407 NTLM hash
> GET, NTLM hash for ONE/bob
*** < 407 NTLM Proxy-Connection: keep-alive
> GET
< 407, NTLM
> GET, NTLM hash
< 407, NTLM hash
> GET, NTLM hash for TWO/alice
< 200 OK

*** marks the lines that are different between the two exchanges.

The behaviour seen by the user in the latter case above is many authentication
dialogs in firefox(3.6.x), approximately 1 per proxy-connection established.

Setting "auth_param ntlm keep_alive off" causes the user's authentication
dialogs to stop appearing.

Perhaps with 3.1.7 or 3.2 we should consider defaulting to ntlm keep_alive off.

-- 
Regards,
Stephen Thorne
Development Engineer
Netbox Blue
Received on Mon Aug 23 2010 - 08:14:56 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 24 2010 - 12:00:05 MDT