Re: [squid-users] Authentication problem/oddity/ignorance

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 28 May 2008 14:03:28 -0800

Rob Asher wrote:
> I have an external site that requires authentication that's not working through my proxies.

Proxies. Plural. How are you spreading the traffic among the proxies.
A number of authentication requiring websites associate login
credentials with a source IP. Using a round robin load balancer
(without source NATing the outgoing requests from the multiple proxies)
can cause issues with such sites. As well, using authentication on a
intercepting (also called a transparent) proxy can cause issues such as
this.

> The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results. With IE7, all that's returned is "cannot display the webpage" even with "show friendly http error messages" turned off. With FF2, the login box keeps popping up until you cancel. Here's the oddity though, I have one XP machine that is able to authenticate through the proxy without any problems with both IE7 and FF2. Same user, same proxy, same passwords just different machines. If I bypass the proxy, everything works fine on all machines. I read something in the archives about configuring the browser to keep authentication details longer. Could that be the difference? If so, I have no idea how to change that?? Below are the two relevant portions from access.log. I have the live http header add-on for FF also but I'm ignorant on reading and using it effectively. Any help or ideas are appreciated!
>
> Does NOT connect:
> [root_at_phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
> 1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
>

TCP_MISS/401 indicates the website returned a "Not Authorized" response,
which should cause your browser to prompt for authentication.

>
> Does connect:
> [root_at_phs-proxy squid]# tail -f access.log | grep www.k12.ar.us
> 1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
> 1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
> 1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 text/html
> 1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
> 1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
> 1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
> 1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
> 1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
> 1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
>

Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that
succeeded were cached content (TCP_MISS/304, with a parent of NONE).
So, from the evidence given, the machine that is "working" only appears
to be working because it is able to wrest a response from the cache that
allows it to use its locally cached copy...

> Thanks,
> Rob
>
>
> -------------------------------------
> Rob Asher
> Network Systems Technician
> Paragould School District
> (870)236-7744 Ext. 169
>

Chris
Received on Wed May 28 2008 - 22:03:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT