Re: [squid-users] Authentication problem/oddity/ignorance

From: Chris Robertson <crobertson_at_gci.net>
Date: Thu, 29 May 2008 10:53:17 -0800

Rob Asher wrote:

>> Chris Robertson <crobertson_at_gci.net> 5/28/2008 5:03 PM
>>
> The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server.
>

Fair enough. Two possibilities out of the way.

>> TCP_MISS/401 indicates the website returned a "Not Authorized" response,
>> which should cause your browser to prompt for authentication.
>>
>
> With IE7, I get one prompt and then the "cannot display the webpage" message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.
>

Further investigation shows that the site in question is requesting NTLM
authentication, which any version of Squid 2.6 should handle. Hmmm...
Perhaps this is related to the broken-ness of IIS passing chunked
encoding to non HTTP1.1 compliant clients. But it looks like the fixes
for that were added in 2.6S8 and 2.6S10. Given you have at least one
2.6S13 server (and not all clients using it work) the fix might not be
enough. Well, you can try adding the following lines in your squid.conf
(on any of the servers) and see if it helps...

acl chunked dstdomain .k12.ar.us
header_access Accept-Encoding deny chunked

>> Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that
>> succeeded were cached content (TCP_MISS/304, with a parent of NONE).
>> So, from the evidence given, the machine that is "working" only appears
>> to be working because it is able to wrest a response from the cache that
>> allows it to use its locally cached copy...
>>
>
> OK.....here's another bit from access.log with the TCP_MISS/200 from the "working" machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.
>
> [root_at_phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
> 1212065905.682 182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1212065923.714 699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
> 1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
> 1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
> 1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
> 1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
>
SNIP
> 1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html
> 1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf
>

Huh? This line doesn't make sense. It's a TCP_MISS/200, which means
the request was successful, but the parent server is NONE. Color me
confused.

> 1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
> 1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html
> 1212065962.164 212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf
> 1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
> 1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html
> 1212065962.661 400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges
>
>
> If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well?
>

Well, Squid 2.7 Stable 1 is out, which appears to have more support for
HTTP 1.1. You could set it up on one of your machines (instructions for
running multiple instances of Squid on one box are at
http://wiki.squid-cache.org/MultipleInstances) and see if that helps as
well.

> Thanks,
> Rob
>

Chris
Received on Thu May 29 2008 - 18:53:23 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT