From: Amos Jeffries Date: Mon, 23 Aug 2010 23:56:49 +0000 (+1200) Subject: Preserve auth_param NTLM/Negotiate keep-alive behaviour X-Git-Tag: SQUID_3_1_7~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d6cccc97736cbdfdbaaee65f6d8448f47739679;p=thirdparty%2Fsquid.git Preserve auth_param NTLM/Negotiate keep-alive behaviour With the change to correct HTTP/1.1 keep-alive behaviour it has become apparent that the major browsers fail to handle NTLM re-challenge cleanly over persistent connections. This alters the default behaviour for NTLM and Negotiate auth when not explicitly configured. It causes connections to break during initial protocol negotiation, which while not desirable was the original HTTP/1.0 behaviour of Squid 3.1 on which the browsers appear to depend. Installs which have explicitly set their keep_alive parameters to ON, may need to re-asses. --- diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc index 948422083c..62ae88729b 100644 --- a/src/auth/negotiate/auth_negotiate.cc +++ b/src/auth/negotiate/auth_negotiate.cc @@ -144,7 +144,7 @@ AuthNegotiateConfig::dump(StoreEntry * entry, const char *name, AuthConfig * sch } -AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(1) +AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(0) { } void diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index a2b119bf3e..1f951e2fba 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -126,7 +126,7 @@ AuthNTLMConfig::dump(StoreEntry * entry, const char *name, AuthConfig * scheme) } -AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(1) +AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(0) { } void diff --git a/src/cf.data.pre b/src/cf.data.pre index f743f26e23..442447aac1 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -265,12 +265,12 @@ DOC_START auth_param ntlm children 5 "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - + Whether to keep the connection open after the initial response where + Squid tells the browser which schemes are supported by the proxy. + Some browsers are known to present many login popups or to corrupt + POST/PUT requests transfer if the connection is not closed. + The default is currently OFF to avoid this, but may change. + auth_param ntlm keep_alive on === Options for configuring the NEGOTIATE auth-scheme follow === @@ -299,15 +299,15 @@ DOC_START auth_param negotiate children 5 "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - + Whether to keep the connection open after the initial response where + Squid tells the browser which schemes are supported by the proxy. + Some browsers are known to present many login popups or to corrupt + POST/PUT requests transfer if the connection is not closed. + The default is currently OFF to avoid this, but may change. + auth_param negotiate keep_alive on - + Examples: #Recommended minimum configuration per scheme: