Bug 844723 - The NTLM pass-through authentication doesn't work via squid-3.1.10
The NTLM pass-through authentication doesn't work via squid-3.1.10
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: squid (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Michal Luscon
Dalibor Pospíšil
: Patch, ZStream
Depends On:
Blocks: 852863
  Show dependency treegraph
Reported: 2012-07-31 09:50 EDT by Jiri Skala
Modified: 2014-11-09 17:35 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Due to an upstream patch, which renamed the HTTP header controlling persistent connections from "Proxy-Connection" to "Connection", the NTLM pass-through authentication does not work, thus preventing login. This update introduces the new "http10" option to the squid.conf file, which can be used to enable the change in the patch. This option is set to "off" by default. When set to "on", the NTLM pass-through authentication works properly, thus allowing login attempts to succeed.
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:39:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
network trace of connection to web server (2.26 KB, application/vnd.tcpdump.pcap)
2013-01-08 04:57 EST, Pierre Filippone
no flags Details

  None (edit)
Comment 11 Pierre Filippone 2013-01-08 02:57:47 EST
I installed squid-3.1.10-9.el6_3, set "http10" to on and can confirm that this patch solved our NTLM authentication issues. 

Nevertheless I think it breaks other things. We recently had some calls regarding blocked access to certain web sites caused by invalid HTTP requests. I examined the header of the outgoing HTTP requests and noticed that a "Proxy-Connection: keep-alive" header is sent to the web server. 

When I disable the "http10" option, a correct "Connection: keep-alive" header is sent and the access is not blocked anymore. 

As far as I understand the "Proxy-Connection: keep-alive" header should never be sent to web servers.
Comment 12 Michal Luscon 2013-01-08 04:21:33 EST
Could you provide a reproducer or tcpdump from customer? (In reply to comment #11)
Comment 13 Pierre Filippone 2013-01-08 04:57:56 EST
Created attachment 674657 [details]
network trace of connection to web server

I uploaded the requested tcpdump trace.
Comment 15 Michal Luscon 2013-01-15 08:12:03 EST
(In reply to comment #11)
I can confirm described behaviour - tracking buzilla available at https://bugzilla.redhat.com/show_bug.cgi?id=895526 .
Comment 17 errata-xmlrpc 2013-02-21 03:39:58 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 18 Pierre Filippone 2013-03-05 09:35:35 EST
I tried it with squid-3.1.10-16.el6. No change. Error persists.

Note You need to log in before you can comment on or make changes to this bug.