[squid-users] NTLM and persistent connections reverse proxy 3.1.20

From: James Harper <james.harper_at_bendigoit.com.au>
Date: Mon, 11 Jun 2012 08:11:32 +0000

I'm having some problems with reverse proxy and NTLM authentication. Specifically, the connection to the client is not persisted which I believe invalidates the NTLM authentication protocol. I've added a source port number to the logs which shows that it is indeed creating a new connection for each request. There seems to have been a bit of mailing list activity about similar problems but nothing exactly the same and none of the suggested solutions work. My config (hostnames and IP's removed) is this:

https_port IPADDRESS:443 accel cert=/etc/squid3/apps.<snip>.com.au.pem defaultsite=apps.<snip>.com.au connection-auth=on
cache_peer <snip>com1.<snip>.local parent 443 0 proxy-only no-query no-digest originserver login=PROXYPASS name=<snip>com1 ssl sslflags=DONT_VERIFY_PEER
cache_peer <snip>web1.<snip>.local parent 80 0 proxy-only no-query no-digest front-end-https=on connection-auth=on originserver login=PROXYPASS name=<snip>web1
cache_peer <snip>svr6.<snip>.local parent 80 0 no-query no-digest originserver login=PROXYPASS name=<snip>svr6
acl dst_apps dstdomain apps.<snip>.com.au
acl exchange_path urlpath_regex ^\/owa$ fast
acl exchange_path urlpath_regex ^\/owa\/.* fast
acl exchange_path urlpath_regex ^\/Microsoft-Server-ActiveSync\/.* fast
acl rpc_path urlpath_regex ^\/rpc\/.* fast
acl mantis_path urlpath_regex ^\/mantis$ fast
acl mantis_path urlpath_regex ^\/mantis\/.* fast
never_direct allow dst_apps
cache_peer_access <snip>com1 allow dst_apps exchange_path
cache_peer_access <snip>com1 deny all
cache_peer_access <snip>web1 allow dst_apps rpc_path
cache_peer_access <snip>web1 deny all
cache_peer_access <snip>svr6 allow dst_apps mantis_path
cache_peer_access <snip>svr6 deny all
http_access allow dst_apps
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128
logformat squidextra %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %>p %<lp [%>h] [%>ha] [%<h]
access_log /var/log/squid3/access.log squidextra
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
ignore_expect_100 on
client_persistent_connections on
server_persistent_connections on
forwarded_for transparent

and a log of the connections:

1339400327.348 2 IPADDRESS TCP_MISS/401 699 RPC_IN_DATA https://apps.<snip>.com.au/rpc/rpcproxy.dll? - FIRST_UP_PARENT/<snip>web1 text/plain 55928 - [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 0\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 0\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [HTTP/1.1 401 Unauthorized\r\nContent-Type: text/plain\r\nServer: Microsoft-IIS/7.5\r\nWWW-Authenticate: NTLM <snip>\r\nWWW-Authenticate: Negotiate\r\nWWW-Authenticate: Basic realm="apps.<snip>.com.au"\r\nX-Powered-By: ASP.NET\r\nDate: Mon, 11 Jun 2012 07:38:40 GMT\r\nContent-Length: 13\r\n\r]
1339400327.572 1 IPADDRESS TCP_MISS/401 410 RPC_IN_DATA https://apps.<snip>.com.au/rpc/rpcproxy.dll? - FIRST_UP_PARENT/<snip>web1 text/plain 55929 - [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 1073741824\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 1073741824\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [HTTP/1.1 401 Unauthorized\r\nContent-Type: text/plain\r\nServer: Microsoft-IIS/7.5\r\nWWW-Authenticate: Negotiate\r\nWWW-Authenticate: NTLM\r\nWWW-Authenticate: Basic realm="apps.<snip>.com.au"\r\nX-Powered-By: ASP.NET\r\nDate: Mon, 11 Jun 2012 07:38:40 GMT\r\nContent-Length: 13\r\n\r]
1339400327.801 1 IPADDRESS TCP_MISS/401 699 RPC_OUT_DATA https://apps.<snip>.com.au/rpc/rpcproxy.dll? - FIRST_UP_PARENT/<snip>web1 text/plain 55930 - [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=8a60d4da-0aa9-4b27-9f4f-9b1e614fbc42\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 0\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=8a60d4da-0aa9-4b27-9f4f-9b1e614fbc42\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 0\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [HTTP/1.1 401 Unauthorized\r\nContent-Type: text/plain\r\nServer: Microsoft-IIS/7.5\r\nWWW-Authenticate: NTLM <snip>\r\nWWW-Authenticate: Negotiate\r\nWWW-Authenticate: Basic realm="apps.<snip>.com.au"\r\nX-Powered-By: ASP.NET\r\nDate: Mon, 11 Jun 2012 07:38:40 GMT\r\nContent-Length: 13\r\n\r]
1339400328.029 1 IPADDRESS TCP_MISS/401 410 RPC_OUT_DATA https://apps.<snip>.com.au/rpc/rpcproxy.dll? - FIRST_UP_PARENT/<snip>web1 text/plain 55931 - [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=8a60d4da-0aa9-4b27-9f4f-9b1e614fbc42\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 76\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [Cache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=8a60d4da-0aa9-4b27-9f4f-9b1e614fbc42\r\nAccept: application/rpc\r\nUser-Agent: MSRPC\r\nContent-Length: 76\r\nHost: apps.<snip>.com.au\r\nAuthorization: NTLM <snip>\r\n] [HTTP/1.1 401 Unauthorized\r\nContent-Type: text/plain\r\nServer: Microsoft-IIS/7.5\r\nWWW-Authenticate: Negotiate\r\nWWW-Authenticate: NTLM\r\nWWW-Authenticate: Basic realm="apps.<snip>.com.au"\r\nX-Powered-By: ASP.NET\r\nDate: Mon, 11 Jun 2012 07:38:40 GMT\r\nContent-Length: 13\r\n\r]

Any suggestions? Is this a known bug somewhere? The outlook web access and mantis proxying work just fine, it's just the rpc (terminal server gateway) that doesn't.

Thanks

James
Received on Mon Jun 11 2012 - 08:11:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 12:00:03 MDT