[squid-users] Users inserted incorrectly in access.log

[Amos Jeffries]

On 20/01/2017 2:37 a.m., Eduardo Carneiro wrote:
> Hi everyone.
> 
> I have a environment with one frontend server and three parent servers in
> culster. The frontend server receives all client connections and forward
> them to parent servers. There is no exist any authentication method in the
> frontend server. In the parent servers the requests are authenticated via
> KERBEROS.
> 
> The problem is, when there are simultaneous accesses to any site, usernames,
> many times, are inserted incorrectly in the access.log. Per example, the
> user "userA" accesses microsoft.com, but on access.log, shows "userB".
> 
> On the frontend server, there are these three lines:
> 
> cache_peer server1.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on
> cache_peer server2.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on
> cache_peer server3.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on


Please start by selecting one of round-robin and sourcehash. They are
very different selection algorithms.

Given that Kerberos auth requires HTTP/1 multiplexing to be disabled for
the auth to work I suggest that you drop the round-robin. It forces
multiplexing to be used.

If the problem still remains try adding the connection-auth=on to those
Squid's listening ports as well.


> 
> I noticed that when the access is direct to some parent server, this problem
> do not occurs. Only if connection pass by frontend.
> 
> Is this a bug?
> 

Maybe. What version of Squid are you using?
This was a problem back in 3.2 and older IIRC.

Amos