[squid-users] Squid with NTLM auth behind netscaler

Fabio Bucci fabietto82 at gmail.com
Mon Dec 7 13:57:54 UTC 2015


Thanks Amos.
So, what do you suggest? Implement kerberos authetication instead NTLM one?

I have to check if netscaler is able to perform that kind hack you wrote
before.

Thanks again,
Fabio

2015-12-05 7:22 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> > Thanks Amos.
> > Actually my load balancing is configured to perform round robin balancing
> > between the two nodes. I added a session persistance by source ip in
> order
> > to avoid to login again with some sites.
> >
> > my squid.conf is very simple:
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 100
> > auth_param ntlm keep_alive off
> >
> > acl auth proxy_auth REQUIRED
> >
> > http_access allow auth
> >
>
> Okay. That *should* work. With some NTLM-specific caveats.
>
>
> > forwarded_for on
> > follow_x_forwarded_for allow netscaler
> >
>
> If the LB is touching the traffic enough to add headers then it is a
> proxy. NTLM does not work at all well through proxies. NTLM as a whole
> is based on the assumption that there is one (and only one) TCP
> connection between it and the proxy - the credentials are tied to the
> TCP connection state.
>
> There is one VERY slim hack that lets NTLM pass straight through a
> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
> connections together. This is not just session persistence, but absolute
> prohibition on any other traffic (even from other connections by the
> same client) being sent to that outbound LB->proxy connection. Some LB
> can do it, some can't.
>
>
> I recommend advertising both/all proxy IPs to the clients and letting
> each select the one(s) it wants to contact. That way the client can
> perform NTLM directly to the Squid.
>
>
> On the other hand NTLM was deprecated back in 2006, you should try
> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
> and can be tricky working with older client software. But is *way* more
> efficient and friendlier to HTTP (but still not fully).
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151207/ff994722/attachment.html>


More information about the squid-users mailing list