[squid-users] squid time out
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 18 14:59:13 UTC 2019
On 19/07/19 1:57 am, ANDRINANTENAINA Avo wrote:
>
> I have a huge range in terms of network, but awkwardly, the
> authentication/ACL and everything works well in one given subnet but not
> on the others. The users in the other subnets are not able to surf the
> internet, and this without any specific logs from the proxy side ( the
> most significant part of the config could be seen below). Any request
> from these users just times out. ____
>
...
> __ __
>
> I can’t really understand the issue, from the affected networks:____
>
> __- __The user is able to ping the proxy and access its port
> 8080 (through telnet / netcat) ____
>
> __- __The request is able to reach the proxy but the in the
> access_log the /“user” /is missing ____
>
> /1563455060.396 1 192.168.230.195 TCP_DENIED/407 4714 GET
> http://api.bing.com/qsml.aspx? - HIER_NONE/- text/html____/
>
> __- __TCP_DENIED/407, requesting the user to go through the
> authentication phase is presented by the proxy to the user’s browser but
> nothing happens. I thought that if the timer set to Kerberos, NTLM
> expires, a pop up should appear but nothing (from wireshark)____
>
Er. Not sure what you mean by a timer.
The log entry is a reasonable first-request from any client. No sane
client will broadcast user credentials until it knows the receiving
agent needs them - and in what form they are needed.
That is why your log entry has no username, and the purpose of the 407
status.
Once that 407 is delivered to the Browser that HTTP transaction is over.
If nothing happens afterwards that is a Browser or network layer
problem, nothing to do with Squid. (There are exceptions, but I see no
sign of those being relevant in your config).
Browser popup is what happens if the Browser is _unable_ to find
appropriate user credentials to send the proxy or web server needing
login. If it is able to find any Kerberors, NTLM or Basic auth
credentials to use (in that order of priority) - it will start a new
HTTP transaction using those. Which will be logged as a separate HTTP
transaction.
But, if those credentials are not able to validate there may not be any
resulting username to log. Your wireshark trace shows no
Proxy-Authorization header in the request, so of course there will be no
username on that transactions log entry.
Setting the timeouts on credentials usability between the DC and the
Browsers will only cause credential tokens to become invalid before they
arrive at the proxy. That can lead to loops of transactions with 407 and
no username logged, especially with NTLM credentials.
Setting any of the auth related TTL or timeouts in squid.conf to short
values will only cause extra work for the auth validation process.
Slowing everything down. It has no effect on whether credentials are
valid, nor what the Browser does.
Despite the PR and marketing MS have done about single-sign-on being a
NTLM thing, it is actually a regular part of all HTTP authentication.
Seeing the popup is a *bad* sign, something is going wrong with the
Browsers auth setup if it has to be bothering the user for details.
On Windows particularly the Browser should have access to the users
machine login or Kerberos keytab and so use one of those to access the
proxy without bothering or even being noticed by the user at all.
>
> - On cache.log there is nothing that could mean something, just
> a bunch of ARP error. Tried to debug the section 29 for authentication …
> but nothing. Checked the IE internet options, just in case the windows
> authentication profile is no ticked … but it is there.
>
ARP errors may be nothing, or it could be a sign that your routing needs
something fixed.
A routing problem might be affecting background connectivity for NTLM
and Kerberos processes the Browser has to do to allocate auth tokens
with DC.
It might also effect the proxy verifying those tokens, but that would
have a different more obvious error logged.
If the above does not help your troubleshooting, please consider posting
your whole squid.conf. (Without the #comment lines, and obfuscate
anything like cachemgr_passwd which should not be made public - but in a
way which ensures we can still tell eg that two IPs are different numbers).
Amos
More information about the squid-users
mailing list