Re: [squid-users] Authentication problem/oddity/ignorance
Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM Proxies. Plural. How are you spreading the traffic among the proxies. A number of authentication requiring websites associate login credentials with a source IP. Using a round robin load balancer (without source NATing the outgoing requests from the multiple proxies) can cause issues with such sites. As well, using authentication on a intercepting (also called a transparent) proxy can cause issues such as this. The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server. TCP_MISS/401 indicates the website returned a Not Authorized response, which should cause your browser to prompt for authentication. With IE7, I get one prompt and then the cannot display the webpage message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled. Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that succeeded were cached content (TCP_MISS/304, with a parent of NONE). So, from the evidence given, the machine that is working only appears to be working because it is able to wrest a response from the cache that allows it to use its locally cached copy... OK.here's another bit from access.log with the TCP_MISS/200 from the working machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site. [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- - 1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- - 1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- - 1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html 1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- - 1212065933.702855 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher DIRECT/165.29.214.2 text/html 1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html 1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf 1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html 1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf 1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET
Re: [squid-users] Authentication problem/oddity/ignorance
Rob Asher wrote: Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server. Fair enough. Two possibilities out of the way. TCP_MISS/401 indicates the website returned a Not Authorized response, which should cause your browser to prompt for authentication. With IE7, I get one prompt and then the cannot display the webpage message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled. Further investigation shows that the site in question is requesting NTLM authentication, which any version of Squid 2.6 should handle. Hmmm... Perhaps this is related to the broken-ness of IIS passing chunked encoding to non HTTP1.1 compliant clients. But it looks like the fixes for that were added in 2.6S8 and 2.6S10. Given you have at least one 2.6S13 server (and not all clients using it work) the fix might not be enough. Well, you can try adding the following lines in your squid.conf (on any of the servers) and see if it helps... acl chunked dstdomain .k12.ar.us header_access Accept-Encoding deny chunked Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that succeeded were cached content (TCP_MISS/304, with a parent of NONE). So, from the evidence given, the machine that is working only appears to be working because it is able to wrest a response from the cache that allows it to use its locally cached copy... OK.here's another bit from access.log with the TCP_MISS/200 from the working machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site. [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- - 1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html SNIP 1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html 1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf Huh? This line doesn't make sense. It's a TCP_MISS/200, which means the request was successful, but the parent server is NONE. Color me confused. 1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html 1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf 1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065962.661400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well? Well, Squid 2.7 Stable 1 is out, which appears to have more support for HTTP 1.1. You could set it up on one of your machines (instructions for running multiple instances of Squid on one box are at
[squid-users] Authentication problem/oddity/ignorance
I have an external site that requires authentication that's not working through my proxies. The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results. With IE7, all that's returned is cannot display the webpage even with show friendly http error messages turned off. With FF2, the login box keeps popping up until you cancel. Here's the oddity though, I have one XP machine that is able to authenticate through the proxy without any problems with both IE7 and FF2. Same user, same proxy, same passwords just different machines. If I bypass the proxy, everything works fine on all machines. I read something in the archives about configuring the browser to keep authentication details longer. Could that be the difference? If so, I have no idea how to change that?? Below are the two relevant portions from access.log. I have the live http header add-on for FF also but I'm ignorant on reading and using it effectively. Any help or ideas are appreciated! Does NOT connect: [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html Does connect: [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- - 1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 text/html 1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- - 1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- - 1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- - Thanks, Rob - Rob Asher Network Systems Technician Paragould School District (870)236-7744 Ext. 169
Re: [squid-users] Authentication problem/oddity/ignorance
Rob Asher wrote: I have an external site that requires authentication that's not working through my proxies. Proxies. Plural. How are you spreading the traffic among the proxies. A number of authentication requiring websites associate login credentials with a source IP. Using a round robin load balancer (without source NATing the outgoing requests from the multiple proxies) can cause issues with such sites. As well, using authentication on a intercepting (also called a transparent) proxy can cause issues such as this. The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results. With IE7, all that's returned is cannot display the webpage even with show friendly http error messages turned off. With FF2, the login box keeps popping up until you cancel. Here's the oddity though, I have one XP machine that is able to authenticate through the proxy without any problems with both IE7 and FF2. Same user, same proxy, same passwords just different machines. If I bypass the proxy, everything works fine on all machines. I read something in the archives about configuring the browser to keep authentication details longer. Could that be the difference? If so, I have no idea how to change that?? Below are the two relevant portions from access.log. I have the live http header add-on for FF also but I'm ignorant on reading and using it effectively. Any help or ideas are appreciated! Does NOT connect: [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html TCP_MISS/401 indicates the website returned a Not Authorized response, which should cause your browser to prompt for authentication. Does connect: [EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- - 1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 text/html 1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- - 1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- - 1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- - Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that succeeded were cached content (TCP_MISS/304, with a parent of NONE). So, from the evidence given, the machine that is working only appears to be working because it is able to wrest a response from the cache that allows it to use its locally cached copy... Thanks, Rob - Rob Asher Network Systems Technician Paragould School District (870)236-7744 Ext. 169 Chris
