Prevent pipeline_prefetch misconfigurations

Enact the TODO/Caveat about checking post-parse for auth type clashing
with pipeline settings. This can only fix local configuration errors.

Pipeline_prefetch ON will still silently break WWW-Authenticate pass-thru
and Proxy-Authenticate pass-thru for these auth mechanisms.

diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc
index 62ae88729b87d2bc2bb14a606bf5e3d6f687ae2d..c9a71cec58a6a961576cc48f66ee53e81d525bf1 100644 (file)
--- a/src/auth/negotiate/auth_negotiate.cc
+++ b/src/auth/negotiate/auth_negotiate.cc
@@ -164,17 +164,6 @@ AuthNegotiateConfig::parse(AuthConfig * scheme, int n_configured, char *param_st
     } else {
         debugs(29, 0, "AuthNegotiateConfig::parse: unrecognised negotiate auth scheme parameter '" << param_str << "'");
     }
-
-    /*
-     * disable client side request pipelining. There is a race with
-     * Negotiate when the client sends a second request on an Negotiate
-     * connection before the authenticate challenge is sent. With
-     * this patch, the client may fail to authenticate, but squid's
-     * state will be preserved.  Caveats: this should be a post-parse
-     * test, but that can wait for the modular parser to be integrated.
-     */
-    if (authenticate)
-        Config.onoff.pipeline_prefetch = 0;
 }
 
 const char *

diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc
index 1f951e2fbad5c52f0651798c0239910db829f7f8..42b16d019b257d656aa95dcfeeb5d50a0ba6e058 100644 (file)
--- a/src/auth/ntlm/auth_ntlm.cc
+++ b/src/auth/ntlm/auth_ntlm.cc
@@ -146,17 +146,6 @@ AuthNTLMConfig::parse(AuthConfig * scheme, int n_configured, char *param_str)
     } else {
         debugs(29, 0, "AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter '" << param_str << "'");
     }
-
-    /*
-     * disable client side request pipelining. There is a race with
-     * NTLM when the client sends a second request on an NTLM
-     * connection before the authenticate challenge is sent. With
-     * this patch, the client may fail to authenticate, but squid's
-     * state will be preserved.  Caveats: this should be a post-parse
-     * test, but that can wait for the modular parser to be integrated.
-     */
-    if (authenticate)
-        Config.onoff.pipeline_prefetch = 0;
 }
 
 const char *

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 1ebf999daf9f4a46576166f7d9d7e8737d2ad07c..2bed93d10cacbd2132d00c8a1212d21dd165c1b4 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -745,6 +745,22 @@ configDoConfigure(void)
                " Change client_request_buffer_max or request_header_max_size limits.",
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
+
+    /*
+     * disable client side request pipelining. There is a race with
+     * Negotiate and NTLM when the client sends a second request on an
+     * connection before the authenticate challenge is sent. With
+     * pipelining OFF, the client may fail to authenticate, but squid's
+     * state will be preserved.
+     */
+    if (Config.onoff.pipeline_prefetch) {
+        AuthConfig *nego = AuthConfig::Find("Negotiate");
+        AuthConfig *ntlm = AuthConfig::Find("NTLM");
+        if ((nego && nego->active()) || (ntlm && ntlm->active())) {
+            debugs(3, DBG_IMPORTANT, "WARNING: pipeline_prefetch breaks NTLM and Negotiate authentication. Forced OFF.");
+            Config.onoff.pipeline_prefetch = 0;
+        }
+    }
 }
 
 /** Parse a line containing an obsolete directive.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 3ade4de0bdb787a806b6eb8cedf84626cb5ece97..14c8d41e944739e32736c18327195739e26b9550 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -6676,6 +6676,8 @@ DOC_START
 
        Defaults to off for bandwidth management and access logging
        reasons.
+
+       WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
 DOC_END
 
 NAME: high_response_time_warning