Bug 844723

Summary: The NTLM pass-through authentication doesn't work via squid-3.1.10
Product: Red Hat Enterprise Linux 6 Reporter: Jiri Skala <jskala>
Component: squidAssignee: Michal Luscon <mluscon>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: aglotov, ovasik, pierre.filippone, plyons
Target Milestone: rcKeywords: Patch, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Due to an upstream patch, which renamed the HTTP header controlling persistent connections from "Proxy-Connection" to "Connection", the NTLM pass-through authentication does not work, thus preventing login. This update introduces the new "http10" option to the squid.conf file, which can be used to enable the change in the patch. This option is set to "off" by default. When set to "on", the NTLM pass-through authentication works properly, thus allowing login attempts to succeed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:39:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 852863    
Attachments:
Description Flags
network trace of connection to web server none

Comment 11 Pierre Filippone 2013-01-08 07:57:47 UTC 
I installed squid-3.1.10-9.el6_3, set "http10" to on and can confirm that this patch solved our NTLM authentication issues. 

Nevertheless I think it breaks other things. We recently had some calls regarding blocked access to certain web sites caused by invalid HTTP requests. I examined the header of the outgoing HTTP requests and noticed that a "Proxy-Connection: keep-alive" header is sent to the web server. 

When I disable the "http10" option, a correct "Connection: keep-alive" header is sent and the access is not blocked anymore. 

As far as I understand the "Proxy-Connection: keep-alive" header should never be sent to web servers.
Comment 12 Michal Luscon 2013-01-08 09:21:33 UTC 
Could you provide a reproducer or tcpdump from customer? (In reply to comment #11)
Comment 13 Pierre Filippone 2013-01-08 09:57:56 UTC 
Created attachment 674657 [details]
network trace of connection to web server

I uploaded the requested tcpdump trace.
Comment 15 Michal Luscon 2013-01-15 13:12:03 UTC 
(In reply to comment #11)
I can confirm described behaviour - tracking buzilla available at https://bugzilla.redhat.com/show_bug.cgi?id=895526 .
Comment 17 errata-xmlrpc 2013-02-21 08:39:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0505.html
Comment 18 Pierre Filippone 2013-03-05 14:35:35 UTC 
I tried it with squid-3.1.10-16.el6. No change. Error persists.