Re: [squid-users] Authentication problem/oddity/ignorance

Wed, 28 May 2008 15:56:22 -0700 

Rob Asher wrote:

I have an external site that requires authentication that's not working through 
my proxies.



Proxies.  Plural.  How are you spreading the traffic among the proxies.  
A number of authentication requiring websites associate login 
credentials with a source IP.  Using a round robin load balancer 
(without source NATing the outgoing requests from the multiple proxies) 
can cause issues with such sites.  As well, using authentication on a 
intercepting (also called a transparent) proxy can cause issues such as 
this.



The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results.  With IE7, all 
that's returned is "cannot display the webpage" even with "show friendly http error 
messages" turned off.  With FF2, the login box keeps popping up until you cancel.  Here's the 
oddity though, I have one XP machine that is able to authenticate through the proxy without any 
problems with both IE7 and FF2.   Same user, same proxy, same passwords just different machines.  
If I bypass the proxy, everything works fine on all machines.  I read something in the archives 
about configuring the browser to keep authentication details longer.  Could that be the difference? 
 If so, I have no idea how to change that??  Below are the two relevant portions from access.log.  
I have the live http header add-on for FF also but I'm ignorant on reading and using it 
effectively.  Any help or ideas are appreciated!

Does NOT connect:

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985315.277     53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985326.697     25 170.211.xxx.30 TCP_MISS/401 2272 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985326.760     42 170.211.xxx.30 TCP_MISS/401 2028 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

  



TCP_MISS/401 indicates the website returned a "Not Authorized" response, 
which should cause your browser to prompt for authentication.




Does connect:

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985582.423     71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985605.978     27 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985606.002     25 170.211.xxx.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1211985606.077     61 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 
text/html
1211985606.103     26 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.130     26 170.211.xxx.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.234     71 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.259     24 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.263     49 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.267     53 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.281     21 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1211985606.286     23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.291     23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.314     26 170.211.xxx.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1211985606.314     22 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -

  



Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
So, from the evidence given, the machine that is "working" only appears 
to be working because it is able to wrest a response from the cache that 
allows it to use its locally cached copy...



Thanks,
Rob


-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169

  


Chris






















					Reply via email to