Thanks Amos. So, what do you suggest? Implement kerberos authetication instead NTLM one?
I have to check if netscaler is able to perform that kind hack you wrote before. Thanks again, Fabio 2015-12-05 7:22 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>: > On 5/12/2015 5:39 a.m., Fabio Bucci wrote: > > Thanks Amos. > > Actually my load balancing is configured to perform round robin balancing > > between the two nodes. I added a session persistance by source ip in > order > > to avoid to login again with some sites. > > > > my squid.conf is very simple: > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 100 > > auth_param ntlm keep_alive off > > > > acl auth proxy_auth REQUIRED > > > > http_access allow auth > > > > Okay. That *should* work. With some NTLM-specific caveats. > > > > forwarded_for on > > follow_x_forwarded_for allow netscaler > > > > If the LB is touching the traffic enough to add headers then it is a > proxy. NTLM does not work at all well through proxies. NTLM as a whole > is based on the assumption that there is one (and only one) TCP > connection between it and the proxy - the credentials are tied to the > TCP connection state. > > There is one VERY slim hack that lets NTLM pass straight through a > frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP > connections together. This is not just session persistence, but absolute > prohibition on any other traffic (even from other connections by the > same client) being sent to that outbound LB->proxy connection. Some LB > can do it, some can't. > > > I recommend advertising both/all proxy IPs to the clients and letting > each select the one(s) it wants to contact. That way the client can > perform NTLM directly to the Squid. > > > On the other hand NTLM was deprecated back in 2006, you should try > migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve > and can be tricky working with older client software. But is *way* more > efficient and friendlier to HTTP (but still not fully). > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
