Just for further information, we have tried adding the headers
"Connection: keep-alive" and "Proxy-Connection: keep-alive" to the http
request with exactly the same results (e.g. curl -H "Connection:
keep-alive" ...).
Steffan
Steffan Corley wrote:
> Hi Henrik,
>
> Thanks once again for all your help so far. Unfortunately, we can't
> get this working in Squid 2.6.STABLE7. We have the following line in
> squid.conf:
>
> cache_peer 192.168.4.166 parent 8080 7 no-query login=PASS
> connection-auth=on
> (I appreciate the connection-auth bit should be unnecessary, but we
> added it to remove one possible source of problems).
>
> My squid.conf does not contain anything about persistent connections.
> However, I note that Squid appends a "Proxy-Connection: close" to the
> NTLM challenge returned by the ISA server. This seems to cause the
> user agent (curl, in our tests, but IE also doesn't work) to close the
> connection and then start the entire process again.
>
> I've attached debugging output from curl for both a direct connection
> to the ISA server and a connection through Squid to the bottom of this
> message. Packet sniffing shows that the communication between squid
> and the ISA server exactly mirrors the communication between the user
> agent and squid.
>
> In general, our experience with Squid is that it tends to close the
> connection with the browser surprisingly frequently, particularly
> immediately after the very first request from any browser.
>
> Any ideas?
>
> Thanks a lot for any (further) help.
>
> Steffan
>
> Henrik Nordstrom wrote:
>> tis 2007-01-16 klockan 22:29 +0000 skrev Steffan Corley:
>>
>>
>>> I've had a look at the cache_peer directive in the Squid 3.0 manual
>>> (not at work, so can't try it). It looks to me like we would
>>> probably need "login=PASS" - except that the 3.0 manual specifically
>>> says that this only works with basic authentication.
>>>
>>
>> Well.. 2.6 is not 3.0 and some things differ.
>>
>> 3.0.PRE3 (what the Visolve "3.0" manual documents) does not have support
>> for NTLM passthrough. 2.6 does.
>>
>> Regards
>> Henrik
>>
> --------------------------------------------------------------------------------------------------------------------------------
>
>
> Direct connection to our test ISA server:
>
> curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
> 192.168.4.166:8080 http://iflsupdc01/test.htm
>
> * About to connect() to 192.168.4.166 port 8080
> * Trying 192.168.4.166... * connected
> * Connected to 192.168.4.166 (192.168.4.166) port 8080
> * Proxy auth using NTLM with user 'fbloggs'
> > GET http://iflsupdc01/test.htm HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
> Host: iflsupdc01
> Pragma: no-cache
> Accept: */*
>
> < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
> < Via: 1.1 IFLISA2
> < Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAAAAAAADgAAAACAgAC4mf23g5o7MUAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>
> < Connection: Keep-Alive
> < Proxy-Connection: Keep-Alive
> < Pragma: no-cache
> < Cache-Control: no-cache
> < Content-Type: text/html
> < Content-Length: 0 % Total % Received % Xferd Average Speed
> Time Time Time Current
> Dload Upload Total Spent Left
> Speed
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0
> * Connection #0 to host 192.168.4.166 left intact
> * Issue another request to this URL: 'http://iflsupdc01/test.htm'
> * Re-using existing connection! (#0) with host 192.168.4.166
> * Connected to 192.168.4.166 (192.168.4.166) port 8080
> * Proxy auth using NTLM with user 'fbloggs'
> > GET http://iflsupdc01/test.htm HTTP/1.1
> Proxy-Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAEcAAAAYABgAXwAAAAAAAABAAAAABwAHAEAAAAAAAAAARwAAAAAAAAB3AAAAAYIAAGZibG9nZ3M47tx4c1fHgyiRKo8S7Rg5kFShqEyYIYH48/2MC/7cIZqMlCN8DxVWHPTuPISDjoo=
>
> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
> Host: iflsupdc01
> Pragma: no-cache
> Accept: */*
>
> < HTTP/1.1 200 OK
> < Via: 1.1 IFLISA2
> < Connection: Keep-Alive
> < Proxy-Connection: Keep-Alive
> < Content-Length: 1502
> < Date: Wed, 17 Jan 2007 23:01:33 GMT
> < Content-Type: text/html
> < ETag: "d0f625b16d3ac71:1bb"
> < Server: Microsoft-IIS/6.0
> < Last-Modified: Wed, 17 Jan 2007 19:28:40 GMT
> < Accept-Ranges: bytes
>
> 100 1502 100 1502 0 0 96940 0 --:--:-- --:--:--
> --:--:-- 97k
> * Connection #0 to host 192.168.4.166 left intact
> * Closing connection #0
>
> --------------------------------------------------------------------------------------------------------------------------------
>
>
> Connection through Squid to our test ISA server:
>
> curl -v --proxy-ntlm --proxy-user fbloggs:Fishing1 --proxy
> 127.0.0.1:8080 http://iflsupdc01/test.htm
>
> * About to connect() to localhost port 8080
> * Trying 127.0.0.1... * connected
> * Connected to localhost (127.0.0.1) port 8080
> * Proxy auth using NTLM with user 'fbloggs'
> > GET http://iflsupdc01/test.htm HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
> Host: iflsupdc01
> Pragma: no-cache
> Accept: */*
>
> < HTTP/1.0 407 Proxy Authentication Required
> < Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAAAAAAADgAAAACAgAC6ZSzPs2eyiYAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>
> < Pragma: no-cache
> < Cache-Control: no-cache
> < Content-Type: text/html
> < Content-Length: 0
> < X-Cache: MISS from RMSmartCache2
> < Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
> < Proxy-Connection: close
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0
> * Closing connection #0
> * Issue another request to this URL: 'http://iflsupdc01/test.htm'
> * About to connect() to localhost port 8080
> * Trying 127.0.0.1... * connected
> * Connected to localhost (127.0.0.1) port 8080
> * Proxy auth using NTLM with user 'fbloggs'
> > GET http://iflsupdc01/test.htm HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
> User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1
> OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
> Host: iflsupdc01
> Pragma: no-cache
> Accept: */*
>
> < HTTP/1.0 407 Proxy Authentication Required
> < Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAAAAAAADgAAAACAgACcxmgGcGKnHMAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
>
> < Pragma: no-cache
> < Cache-Control: no-cache
> < Content-Type: text/html
> < Content-Length: 0
> < X-Cache: MISS from RMSmartCache2
> < Via: 1.1 IFLISA2, 1.0 RMSmartCache2:8080 (squid/2.6.STABLE7)
> < Proxy-Connection: close
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0
> * Closing connection #0
> [...repeated many times...]
> * Maximum (50) redirects followed
> curl: (47) Maximum (50) redirects followed
>
>
Received on Wed Jan 17 2007 - 08:59:39 MST
This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST