[squid-users] Squid with NTLM auth behind netscaler

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 5 06:22:07 UTC 2015

On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> Thanks Amos.
> Actually my load balancing is configured to perform round robin balancing
> between the two nodes. I added a session persistance by source ip in order
> to avoid to login again with some sites.
> my squid.conf is very simple:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
> acl auth proxy_auth REQUIRED
> http_access allow auth

Okay. That *should* work. With some NTLM-specific caveats.

> forwarded_for on
> follow_x_forwarded_for allow netscaler

If the LB is touching the traffic enough to add headers then it is a
proxy. NTLM does not work at all well through proxies. NTLM as a whole
is based on the assumption that there is one (and only one) TCP
connection between it and the proxy - the credentials are tied to the
TCP connection state.

There is one VERY slim hack that lets NTLM pass straight through a
frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
connections together. This is not just session persistence, but absolute
prohibition on any other traffic (even from other connections by the
same client) being sent to that outbound LB->proxy connection. Some LB
can do it, some can't.

I recommend advertising both/all proxy IPs to the clients and letting
each select the one(s) it wants to contact. That way the client can
perform NTLM directly to the Squid.

On the other hand NTLM was deprecated back in 2006, you should try
migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
and can be tricky working with older client software. But is *way* more
efficient and friendlier to HTTP (but still not fully).


More information about the squid-users mailing list