Fix pipeline_prefetch misconfigurations

Enact the TODO/Caveat about checking post-parse for auth type clashing
with pipeline settings. This can only fix local configuration errors.

Pipeline_prefetch ON will still silently break WWW-Authenticate pass-thru
and Proxy-Authenticate pass-thru for these auth mechanisms.

diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc
index 73a2b15c8e22a690819ed0cd93ce0ac722a72891..a2c954ec8a7a89ea5c7183afcc0ca4642fcb9dc5 100644 (file)
--- a/src/auth/negotiate/auth_negotiate.cc
+++ b/src/auth/negotiate/auth_negotiate.cc
@@ -147,17 +147,6 @@ AuthNegotiateConfig::parse(AuthConfig * scheme, int n_configured, char *param_st
     } else {
         debugs(29, 0, "AuthNegotiateConfig::parse: unrecognised negotiate auth scheme parameter '" << param_str << "'");
     }
-
-    /*
-     * disable client side request pipelining. There is a race with
-     * Negotiate when the client sends a second request on an Negotiate
-     * connection before the authenticate challenge is sent. With
-     * this patch, the client may fail to authenticate, but squid's
-     * state will be preserved.  Caveats: this should be a post-parse
-     * test, but that can wait for the modular parser to be integrated.
-     */
-    if (authenticate)
-        Config.onoff.pipeline_prefetch = 0;
 }
 
 const char *

diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc
index 18f63bffe8b8efb178f95bed8d9d08f7931b570e..b1d2328c6f8392ba1abcb64b6b6c936e80c6c121 100644 (file)
--- a/src/auth/ntlm/auth_ntlm.cc
+++ b/src/auth/ntlm/auth_ntlm.cc
@@ -135,17 +135,6 @@ AuthNTLMConfig::parse(AuthConfig * scheme, int n_configured, char *param_str)
     } else {
         debugs(29, 0, "AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter '" << param_str << "'");
     }
-
-    /*
-     * disable client side request pipelining. There is a race with
-     * NTLM when the client sends a second request on an NTLM
-     * connection before the authenticate challenge is sent. With
-     * this patch, the client may fail to authenticate, but squid's
-     * state will be preserved.  Caveats: this should be a post-parse
-     * test, but that can wait for the modular parser to be integrated.
-     */
-    if (authenticate)
-        Config.onoff.pipeline_prefetch = 0;
 }
 
 const char *

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 5f7fe174ffca15cc1741b40387b618930b763c62..9efa10be91fd444fe0690efa046d3423fd978d82 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -914,6 +914,22 @@ configDoConfigure(void)
                " Change client_request_buffer_max or request_header_max_size limits.",
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
+
+    /*
+     * disable client side request pipelining. There is a race with
+     * Negotiate and NTLM when the client sends a second request on an
+     * connection before the authenticate challenge is sent. With
+     * pipelining OFF, the client may fail to authenticate, but squid's
+     * state will be preserved.
+     */
+    if (Config.onoff.pipeline_prefetch) {
+        AuthConfig *nego = AuthConfig::Find("Negotiate");
+        AuthConfig *ntlm = AuthConfig::Find("NTLM");
+        if ((nego && nego->active()) || (ntlm && ntlm->active())) {
+            debugs(3, DBG_IMPORTANT, "WARNING: pipeline_prefetch breaks NTLM and Negotiate authentication. Forced OFF.");
+            Config.onoff.pipeline_prefetch = 0;
+        }
+    }
 }
 
 /** Parse a line containing an obsolete directive.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 38c1909fc83d7d67eb413735decb5ead1744949b..cc705f0ad782d7c76d69121c236e2f4aeec150e9 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -7341,6 +7341,8 @@ DOC_START
 
        Defaults to off for bandwidth management and access logging
        reasons.
+
+       WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
 DOC_END
 
 NAME: high_response_time_warning