Preserve auth_param NTLM/Negotiate keep-alive behaviour

With the change to correct HTTP/1.1 keep-alive behaviour it has become
apparent that the major browsers fail to handle NTLM re-challenge cleanly
over persistent connections.

This alters the default behaviour for NTLM and Negotiate auth when not
explicitly configured. It causes connections to break during initial
protocol negotiation, which while not desirable was the original HTTP/1.0
behaviour of Squid 3.1 on which the browsers appear to depend.

Installs which have explicitly set their keep_alive parameters to ON, may
need to re-asses.

diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc
index 948422083cd30787733e28fb46ed0e72947625ed..62ae88729b87d2bc2bb14a606bf5e3d6f687ae2d 100644 (file)
--- a/src/auth/negotiate/auth_negotiate.cc
+++ b/src/auth/negotiate/auth_negotiate.cc
@@ -144,7 +144,7 @@ AuthNegotiateConfig::dump(StoreEntry * entry, const char *name, AuthConfig * sch
 
 }
 
-AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(1)
+AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(0)
 { }
 
 void

diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc
index a2b119bf3e2461f243422201daf05e595e598e48..1f951e2fbad5c52f0651798c0239910db829f7f8 100644 (file)
--- a/src/auth/ntlm/auth_ntlm.cc
+++ b/src/auth/ntlm/auth_ntlm.cc
@@ -126,7 +126,7 @@ AuthNTLMConfig::dump(StoreEntry * entry, const char *name, AuthConfig * scheme)
 
 }
 
-AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(1)
+AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(0)
 { }
 
 void

diff --git a/src/cf.data.pre b/src/cf.data.pre
index f743f26e23d950f4a291759c4b4eaf68f5367a1e..442447aac1429ab0f205ac882799461b064b0471 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -265,12 +265,12 @@ DOC_START
        auth_param ntlm children 5
 
        "keep_alive" on|off
-       If you experience problems with PUT/POST requests when using the
-       Negotiate authentication scheme then you can try setting this to
-       off. This will cause Squid to forcibly close the connection on
-       the initial requests where the browser asks which schemes are
-       supported by the proxy.
-
+       Whether to keep the connection open after the initial response where
+       Squid tells the browser which schemes are supported by the proxy.
+       Some browsers are known to present many login popups or to corrupt
+       POST/PUT requests transfer if the connection is not closed.
+       The default is currently OFF to avoid this, but may change.
+       
        auth_param ntlm keep_alive on
 
        === Options for configuring the NEGOTIATE auth-scheme follow ===
@@ -299,15 +299,15 @@ DOC_START
        auth_param negotiate children 5
 
        "keep_alive" on|off
-       If you experience problems with PUT/POST requests when using the
-       Negotiate authentication scheme then you can try setting this to
-       off. This will cause Squid to forcibly close the connection on
-       the initial requests where the browser asks which schemes are
-       supported by the proxy.
-
+       Whether to keep the connection open after the initial response where
+       Squid tells the browser which schemes are supported by the proxy.
+       Some browsers are known to present many login popups or to corrupt
+       POST/PUT requests transfer if the connection is not closed.
+       The default is currently OFF to avoid this, but may change.
+       
        auth_param negotiate keep_alive on
 
-       
+
        Examples:
 
 #Recommended minimum configuration per scheme: