From: Amos Jeffries Date: Tue, 1 Feb 2011 23:12:39 +0000 (+1300) Subject: Fix pipeline_prefetch misconfigurations X-Git-Tag: take03^2~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0e23afd93a611e22a88ebaf2ce21c786420c30d;p=thirdparty%2Fsquid.git Fix pipeline_prefetch misconfigurations Enact the TODO/Caveat about checking post-parse for auth type clashing with pipeline settings. This can only fix local configuration errors. Pipeline_prefetch ON will still silently break WWW-Authenticate pass-thru and Proxy-Authenticate pass-thru for these auth mechanisms. --- diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc index 73a2b15c8e..a2c954ec8a 100644 --- a/src/auth/negotiate/auth_negotiate.cc +++ b/src/auth/negotiate/auth_negotiate.cc @@ -147,17 +147,6 @@ AuthNegotiateConfig::parse(AuthConfig * scheme, int n_configured, char *param_st } else { debugs(29, 0, "AuthNegotiateConfig::parse: unrecognised negotiate auth scheme parameter '" << param_str << "'"); } - - /* - * disable client side request pipelining. There is a race with - * Negotiate when the client sends a second request on an Negotiate - * connection before the authenticate challenge is sent. With - * this patch, the client may fail to authenticate, but squid's - * state will be preserved. Caveats: this should be a post-parse - * test, but that can wait for the modular parser to be integrated. - */ - if (authenticate) - Config.onoff.pipeline_prefetch = 0; } const char * diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index 18f63bffe8..b1d2328c6f 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -135,17 +135,6 @@ AuthNTLMConfig::parse(AuthConfig * scheme, int n_configured, char *param_str) } else { debugs(29, 0, "AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter '" << param_str << "'"); } - - /* - * disable client side request pipelining. There is a race with - * NTLM when the client sends a second request on an NTLM - * connection before the authenticate challenge is sent. With - * this patch, the client may fail to authenticate, but squid's - * state will be preserved. Caveats: this should be a post-parse - * test, but that can wait for the modular parser to be integrated. - */ - if (authenticate) - Config.onoff.pipeline_prefetch = 0; } const char * diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 5f7fe174ff..9efa10be91 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -914,6 +914,22 @@ configDoConfigure(void) " Change client_request_buffer_max or request_header_max_size limits.", (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); } + + /* + * disable client side request pipelining. There is a race with + * Negotiate and NTLM when the client sends a second request on an + * connection before the authenticate challenge is sent. With + * pipelining OFF, the client may fail to authenticate, but squid's + * state will be preserved. + */ + if (Config.onoff.pipeline_prefetch) { + AuthConfig *nego = AuthConfig::Find("Negotiate"); + AuthConfig *ntlm = AuthConfig::Find("NTLM"); + if ((nego && nego->active()) || (ntlm && ntlm->active())) { + debugs(3, DBG_IMPORTANT, "WARNING: pipeline_prefetch breaks NTLM and Negotiate authentication. Forced OFF."); + Config.onoff.pipeline_prefetch = 0; + } + } } /** Parse a line containing an obsolete directive. diff --git a/src/cf.data.pre b/src/cf.data.pre index 38c1909fc8..cc705f0ad7 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -7341,6 +7341,8 @@ DOC_START Defaults to off for bandwidth management and access logging reasons. + + WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. DOC_END NAME: high_response_time_warning