[squid-users] Re: Kerberos / Authentication / squid

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 30 Nov 2013 01:01:26 -0000

You may need to increase the following:

src/auth/UserRequest.h:#define MAX_AUTHTOKEN_LEN 32768

Regards
Markus

"Amos Jeffries" wrote in message news:52971E79.9030002_at_treenet.co.nz...

On 28/11/2013 10:42 p.m., Berthold Zettler wrote:
> Hi Madhav,
>
>
>
> all relevant a systems (AD-Controllers and the clients (Windows 7)) have a
> value for "MaxTokenSize" of 65535.
>
> Therefore i don't think, that this failure was caused by AD- or client
> settings.
>
> The tokensize (27332) reported by the MS tokensz.exe tool is far below
> this value.
> Our other kerberized systems (Apaches) are working fine with this large
> tokensize.
>
> So i think it's a squid / buffer or kerberos-helper related issue

That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the
Squid buffer and helper buffer and the base-64 encoded version of the
token needs to fit inside it along with the 3-5 helper protocol bytes.

A bigger problem is the Squid network I/O parsing. The buffer holding
HTTP headers also has a default maximum length of 64KB ... for the
entire HTTP header block.
  http://www.squid-cache.org/Doc/config/request_header_max_size/
  http://www.squid-cache.org/Doc/config/reply_header_max_size/

If you need to you can bump those up to around 256KB before you start to
hit other limits in the primary I/O buffer itself.

PS. you should also look to the library Squid is using. It may have
limits or problems of its own separate from the Apache systems library.

PPS. The IETF HTTPbis WG did an analysis of many software a while back
and concluded that the maximum generlly acceptible HTTP header length
was 4KB. Squid with its 64KB limit is one of the more accepting out
there. So be careful of *any* other software involved with that traffic.

Amos
Received on Sat Nov 30 2013 - 01:01:43 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST