[squid-users] GET requests remain in pending state with Squid and Kerberos auth

Amos Jeffries squid3 at treenet.co.nz
Wed May 23 12:18:18 UTC 2018 

On 23/05/18 19:11, Ahmad, Sarfaraz wrote:
> Hi,
> 
>  
> 
> I am using Squid as an explicit proxy (configured in the browsers) and
> have configured it to authenticate all users with Kerberos.
> 
> Here are the relevant bits from squid.conf
> 
>  
> 
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r
> -s HTTP/proxytest1.mydomain.com at MYDOMAIN.COM -k /etc/squid/HTTP.keytab
> 
> auth_param negotiate children 10
> 
> auth_param negotiate keep_alive on
> 
>  
> 
> I know I should be expecting 407s for new TCP connections and pages do
> load a bit slower compared to Basic Auth.

There should be no difference in timing or message status with Kerberos
than with Basic auth.


> 
> But that isn’t the problem. The problem is at times some of the web
> pages resources (GET requests mostly) just hang there endlessly. (Chrome
> just says pending)

How long is this "hang" you mention?
 is there any specific timing to it?
 when it ends which piece of software is terminating the connection from
Browser to Squid?
 Do those transactions actually get sent to Squid? (it may seem dumb,
but Google have invented several protocols of their own which Chrome
uses instead of HTTP to fetch objects.)

Also,

 Do the request messages finish arriving at the proxy end of the
connections?
 Does the domain in the request resolve quickly?
 What does that request message look like on-wire?

Does Squid send anything to a server?
 Does the server respond?
 What does that response message look like on-wire?
 Does that response finish arriving to the proxy?
 Which endpoint on the Squid<->server connection closes it?


You may need to configure "debug_options 11,2" to record the HTTP
message traffic to find the above details.


> 
> When I do a refresh, the browser loads that very same resource(say a
> .js/.css file) just fine.
> 
>  
> 
> This is just a test setup and I looked at the negotiate helper stats. Here
> 
...
> 
> I don’t think they are the problem.

Agreed, at least from those stats.

> 
> Any thoughts on what could be going on here? I don’t have a way to
> reproduce this reliably so far and this happens intermittently.
> 

You will have to dig a bit further into the traffic chain and hopefully
one of the questions above will lead you to find out what exactly is
hanging. What you have mentioned so far does not contain any clues.


HTH
Amos

More information about the squid-users mailing list