Re: [squid-users] Squid + F5 balancing doesnt work!!!

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Wed, 2 Jul 2008 20:38:19 -0500

Hanks Henrik

That it is! I did not realiza of stateful requirent of digest auth. We
change a little archiecture of squid and then work. F5 is now using somekind
of configuration to have a active-pasive schema.

Regards,

LD

On Wednesday 02 July 2008 06:06:34 Henrik Nordstrom wrote:
> On tis, 2008-07-01 at 20:25 -0500, Luis Daniel Lucio Quiroz wrote:
> > 1214974554.906 0 99.90.40.253 TCP_DENIED/407 3249 GET
> > http://www.presidencia.gob.mx/imgs/edomayor_over.gif a2 NONE/- text/html
> >
> > if we use percistance, it works, but we can stop using of sharing
> > usernames. Balancig schema is like this:
> >
> > user -> balancer f5 -> squid1
> > \->squid2
> >
> > Squid is configured with LDAP-digest auth.
>
> digest auth needs persistent sessions to work best. Without session it
> will perform quite badly with many repeated 407 exchanges.
>
> The reason to this is that digest authentication is stateful, with the
> server verifying that the client responds to a challenge sent by that
> server. This is part of the replay protection agains authenticated
> session theft and by design in the digest authentication scheme. Each
> time the client gets connected to a new proxy server the server issued
> challenge needs to be renewed.
>
> basic authentication works well with "dumb" TCP load balancing, as it's
> completely stateless.
>
> NTLM/Negotiate also works with "dumb" TCP load balancing, as it's very
> stateful but at the TCP connection level, not at the HTTP message
> level..
>
> Regards
> Henrik
Received on Thu Jul 03 2008 - 01:36:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 03 2008 - 12:00:02 MDT