-----Original Message----- From: Amos Jeffries [mailto:[email protected]] Sent: Saturday, February 11, 2012 8:55 AM To: [email protected] Subject: Re: [squid-users] Squid/NTLM and site timeouts
On 12/02/2012 2:30 a.m., Jason Gauthier wrote: > All, > > I have a Squid and NTLM implementation. I've had one for years, and > always have been pretty pleased with it. There has always been one quirk, > and I've decided to ask about it in case there is a known solution. > > Typically, NTLM requires a back and forth of authentication. Whenever a site > is very slow to respond, or down and times out, my browsers display an > authentication prompt to the end user. I noticed this happens sometimes, > even, after the full page is loaded, and an advertisement or some other > element takes a long time to load. >This behaviour sounds more like the slowness is being caused by NTLM itself >being slow or failing. The domain lookups and connections do not even start to >happen until NTLM >login to the proxy is already successfully completed. >The prompt is a browser feature. Squid has nothing to do with it besides the >coincidence that the browser may choose to do it whenever Squid asks for >credentials. The modern >ones usually only try it after automatic logins like >NTLM have been tried and failed. You would think that is the case, but it's not. I can demonstrate this. I've created a PHP page that just loads text. http://www.pendulus.org/loaddirect.php Squid logs: 1329009688.461 0 192.168.71.117 TCP_DENIED/407 4051 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html 1329009688.552 1 192.168.71.117 TCP_DENIED/407 4308 GET http://www.pendulus.org/loaddirect.php - NONE/- text/html 1329009688.822 187 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loaddirect.php jgauthier DIRECT/69.135.186.43 text/html This worked exactly as expected. I created one with a 30 second delay: http://www.pendulus.org/loadshortpause.php Squid logs: 1329010018.324 1 192.168.71.117 TCP_DENIED/407 4067 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html 1329010018.473 0 192.168.71.117 TCP_DENIED/407 4332 GET http://www.pendulus.org/loadshortpause.php - NONE/- text/html 1329010048.720 30194 192.168.71.117 TCP_MISS/200 330 GET http://www.pendulus.org/loadshortpause.php jgauthier DIRECT/69.135.186.43 text/html Notice my username does not appear until *after* the 30 second pause that's inside the web page. Lastly, I created one with a 300 second delay in it. http://www.pendulus.org/loadpause.php Squid logs: 1329009789.283 0 192.168.71.117 TCP_DENIED/407 4047 GET http://www.pendulus.org/loadpause.php - NONE/- text/html 1329009789.372 0 192.168.71.117 TCP_DENIED/407 4312 GET http://www.pendulus.org/loadpause.php - NONE/- text/html 1329009909.439 120024 192.168.71.117 TCP_MISS/000 0 GET http://www.pendulus.org/loadpause.php jgauthier DIRECT/69.135.186.43 - 1329009909.534 0 192.168.71.117 TCP_DENIED/407 4331 GET http://www.pendulus.org/loadpause.php - NONE/- text/html At the point the second two log entries are created, the browser also prompted me for credentials again. The gap in time is two minutes. After two minutes, I am re-prompted from the browser, this is what I am describing. The situation I want to stop from occurring. Thanks, Jason
