Re: [squid-users] Squid/NTLM and site timeouts

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 12 Feb 2012 15:09:31 +1300

On 12/02/2012 2:34 p.m., Jason Gauthier wrote:
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Saturday, February 11, 2012 8:55 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid/NTLM and site timeouts
>
> On 12/02/2012 2:30 a.m., Jason Gauthier wrote:
>> All,
>>
>> I have a Squid and NTLM implementation. I've had one for years, and always have been pretty pleased with it. There has always been one quirk, and I've decided to ask about it in case there is a known solution.
>>
>> Typically, NTLM requires a back and forth of authentication. Whenever a site is very slow to respond, or down and times out, my browsers display an authentication prompt to the end user. I noticed this happens sometimes, even, after the full page is loaded, and an advertisement or some other element takes a long time to load.
>> This behaviour sounds more like the slowness is being caused by NTLM itself being slow or failing. The domain lookups and connections do not even start to happen until NTLM>login to the proxy is already successfully completed.
>> The prompt is a browser feature. Squid has nothing to do with it besides the coincidence that the browser may choose to do it whenever Squid asks for credentials. The modern>ones usually only try it after automatic logins like NTLM have been tried and failed.
>
> You would think that is the case, but it's not. I can demonstrate this. I've created a PHP page that just loads text.
> http://www.pendulus.org/loaddirect.php
>
> Squid logs:
> 1329009688.461 0 192.168.71.117 TCP_DENIED/407 4051 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html
> 1329009688.552 1 192.168.71.117 TCP_DENIED/407 4308 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html
> 1329009688.822 187 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loaddirect.php jgauthier DIRECT/69.135.186.43 text/html
>
> This worked exactly as expected.
>
> I created one with a 30 second delay:
> http://www.pendulus.org/loadshortpause.php
>
> Squid logs:
> 1329010018.324 1 192.168.71.117 TCP_DENIED/407 4067 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html
> 1329010018.473 0 192.168.71.117 TCP_DENIED/407 4332 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html
> 1329010048.720 30194 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loadshortpause.php jgauthier DIRECT/69.135.186.43 text/html
>
> Notice my username does not appear until *after* the 30 second pause that's inside the web page.

Yes. Note how the requests which have incomplete NTLM have "NONE/-"
logged for the server details.

What that log shows is that successful NTLM credentials were recieved by
Squid (jgauthier), then DNS was performed (DIRECT) , then the server
(69.135.186.43) was contacted. The entire process took 30.194 seconds.

>
> Lastly, I created one with a 300 second delay in it.
> http://www.pendulus.org/loadpause.php
>
> Squid logs:
> 1329009789.283 0 192.168.71.117 TCP_DENIED/407 4047 GET http://www.pendulus.org/loadpause.php - NONE/- text/html
> 1329009789.372 0 192.168.71.117 TCP_DENIED/407 4312 GET http://www.pendulus.org/loadpause.php - NONE/- text/html
> 1329009909.439 120024 192.168.71.117 TCP_MISS/000 0 GET http://www.pendulus.org/loadpause.php jgauthier DIRECT/69.135.186.43 -
> 1329009909.534 0 192.168.71.117 TCP_DENIED/407 4331 GET http://www.pendulus.org/loadpause.php - NONE/- text/html
>
> At the point the second two log entries are created, the browser also prompted me for credentials again.
> The gap in time is two minutes.
> After two minutes, I am re-prompted from the browser, this is what I am describing. The situation I want to stop from occurring.

This one shows is that successful NTLM credentials were recieved by
Squid (jgauthier), then DNS was performed (DIRECT) , then the server
(69.135.186.43) was contacted. Then after 120.024 seconds the connection
between Squid and client got closed ("/000" in column 4) before anything
was received by the server for delivery (0 bytes in column 5).

The browser decides to do the popup based on what it is aware of: An
NTLM login which never got a successful response to the final stage when
full credentials were sent. Try again (with different credentials).

You can try increasing
http://www.squid-cache.org/Doc/config/persistent_request_timeout/ if it
was Squid. But be aware of simialr limits in TCP firewall state tracking
and NAT systems, and timeouts in browser as well which all result in the
same connection closure.

Amos
Received on Sun Feb 12 2012 - 02:09:37 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 12 2012 - 12:00:03 MST