[squid-users] Squid with NTLM auth behind netscaler

Fabio Bucci fabietto82 at gmail.com
Fri Dec 11 14:08:44 UTC 2015


No suggestions?

2015-12-07 14:57 GMT+01:00 Fabio Bucci <fabietto82 at gmail.com>:

> Thanks Amos.
> So, what do you suggest? Implement kerberos authetication instead NTLM one?
>
> I have to check if netscaler is able to perform that kind hack you wrote
> before.
>
> Thanks again,
> Fabio
>
> 2015-12-05 7:22 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
>
>> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
>> > Thanks Amos.
>> > Actually my load balancing is configured to perform round robin
>> balancing
>> > between the two nodes. I added a session persistance by source ip in
>> order
>> > to avoid to login again with some sites.
>> >
>> > my squid.conf is very simple:
>> > auth_param ntlm program /usr/bin/ntlm_auth
>> > --helper-protocol=squid-2.5-ntlmssp
>> > auth_param ntlm children 100
>> > auth_param ntlm keep_alive off
>> >
>> > acl auth proxy_auth REQUIRED
>> >
>> > http_access allow auth
>> >
>>
>> Okay. That *should* work. With some NTLM-specific caveats.
>>
>>
>> > forwarded_for on
>> > follow_x_forwarded_for allow netscaler
>> >
>>
>> If the LB is touching the traffic enough to add headers then it is a
>> proxy. NTLM does not work at all well through proxies. NTLM as a whole
>> is based on the assumption that there is one (and only one) TCP
>> connection between it and the proxy - the credentials are tied to the
>> TCP connection state.
>>
>> There is one VERY slim hack that lets NTLM pass straight through a
>> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
>> connections together. This is not just session persistence, but absolute
>> prohibition on any other traffic (even from other connections by the
>> same client) being sent to that outbound LB->proxy connection. Some LB
>> can do it, some can't.
>>
>>
>> I recommend advertising both/all proxy IPs to the clients and letting
>> each select the one(s) it wants to contact. That way the client can
>> perform NTLM directly to the Squid.
>>
>>
>> On the other hand NTLM was deprecated back in 2006, you should try
>> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
>> and can be tricky working with older client software. But is *way* more
>> efficient and friendlier to HTTP (but still not fully).
>>
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151211/02b663ed/attachment.html>


More information about the squid-users mailing list