Re: [squid-users] proxy_auth digest and multiple reverse proxies (siblings) from Luis Daniel Lucio Quiroz on 2010-02-08 (squid-users)

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Mon, 8 Feb 2010 19:38:19 -0600

Le Jeudi 28 Janvier 2010 22:30:41, Deepak Rao a écrit :
> On Thu, Jan 28, 2010 at 12:39 AM, Luis Daniel Lucio Quiroz
>
> <luis.daniel.lucio_at_gmail.com> wrote:
> > Le Mercredi 27 Janvier 2010 12:05:32, Deepak Rao a écrit :
> >> Hi,
> >>
> >> I have a squid setup requirement in my project for which I could not
> >> find an answer. Any pointers will be helpful...
> >>
> >> The setup is as follows: I have multiple reverse proxies serving web
> >> pages to clients. A load balancer front-ends the reverse proxies. The
> >> reverse proxies can be configured as siblings.
> >>
> >> The client requests contain HTTP Digest headers and needs to be
> >> authenticated at my server side (using proxy_auth?) The requests from
> >> a client can be served by any of the reverse proxies & no state is
> >> maintained on the server. Stickiness is also not possible.
> >>
> >> The issue is:
> >> When the first request (REQ1) comes from client 1, server responds
> >> back with 401 Unauthorized (WWW-Authenticate) and sets a nonce value
> >> (N1) [all this is handled by the reverse proxy itself]
> >>
> >> Now when the client 1 sends the request (REQ1) again with all the
> >> digest headers (using nonce N1), this request is received by another
> >> reverse proxy. For this reverse proxy, the nonce N1 is unknown and
> >> hence it returns again 401 Unauthorized as response with stale=true
> >> for the nonce N1! Thus the request is never getting served rightly
> >>
> >> How do I handle this scenario? Is there a way to make all reverse
> >> proxies share the same nonce pool?
> >>
> >> Any other alternatives for my requirement is also welcome.
> >>
> >> Thanks,
> >> Deepak
> >
> > Easygoing, if you are using digest auth, use some persistency in your
> > balances et voila! you are done. dont use RoundRobin,
>
> yes that would be the best way. Unfortunately, the servers are hosted
> on third party infrastructure and their load balancer does not provide
> any stickiness. The laod balancer just uses round-robin to pass
> requests to various reverse-proxies.

You wont using Roundrobing, you MUST use a persistency,
Received on Tue Feb 09 2010 - 01:38:38 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 09 2010 - 12:00:04 MST