No suggestions? 2015-12-07 14:57 GMT+01:00 Fabio Bucci <fabiett...@gmail.com>:
> Thanks Amos. > So, what do you suggest? Implement kerberos authetication instead NTLM one? > > I have to check if netscaler is able to perform that kind hack you wrote > before. > > Thanks again, > Fabio > > 2015-12-05 7:22 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>: > >> On 5/12/2015 5:39 a.m., Fabio Bucci wrote: >> > Thanks Amos. >> > Actually my load balancing is configured to perform round robin >> balancing >> > between the two nodes. I added a session persistance by source ip in >> order >> > to avoid to login again with some sites. >> > >> > my squid.conf is very simple: >> > auth_param ntlm program /usr/bin/ntlm_auth >> > --helper-protocol=squid-2.5-ntlmssp >> > auth_param ntlm children 100 >> > auth_param ntlm keep_alive off >> > >> > acl auth proxy_auth REQUIRED >> > >> > http_access allow auth >> > >> >> Okay. That *should* work. With some NTLM-specific caveats. >> >> >> > forwarded_for on >> > follow_x_forwarded_for allow netscaler >> > >> >> If the LB is touching the traffic enough to add headers then it is a >> proxy. NTLM does not work at all well through proxies. NTLM as a whole >> is based on the assumption that there is one (and only one) TCP >> connection between it and the proxy - the credentials are tied to the >> TCP connection state. >> >> There is one VERY slim hack that lets NTLM pass straight through a >> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP >> connections together. This is not just session persistence, but absolute >> prohibition on any other traffic (even from other connections by the >> same client) being sent to that outbound LB->proxy connection. Some LB >> can do it, some can't. >> >> >> I recommend advertising both/all proxy IPs to the clients and letting >> each select the one(s) it wants to contact. That way the client can >> perform NTLM directly to the Squid. >> >> >> On the other hand NTLM was deprecated back in 2006, you should try >> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve >> and can be tricky working with older client software. But is *way* more >> efficient and friendlier to HTTP (but still not fully). >> >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
