RE: [squid-users] RE: NTLM and persistent connections reverse proxy 3.1.20 - SOLVED + PATCH

From: James Harper <james.harper_at_bendigoit.com.au>
Date: Tue, 12 Jun 2012 07:16:51 +0000

> >> I've done a bit more testing on this, and it seems that the server
> >> returns
> >> "HTTP/1.1 401 Unauthorized" but squid turns this into "HTTP/1.0 401
> >> Unauthorized" before passing it onto the client. Does that help?
> >>
> > It seems that this is the cause of the problem... The patch following this
> email fixes it... is there any reason why the version should be forced to 1.0??
> Is it to work around some other bug?
>
> Because Squid 3.1 is not HTTP/1.1 compliant on the client-facing channels.
> Offering it will trick the clients into believeing they can use features which will
> break their connectivity.
>
> The problem is somewhere in the code which determines "Connection:keep-
> alive" and "Connection:close". Squid should be adding "Connection:keep-
> alive" unless something causes "Connection:close" to be necessary.
>

Actually it turns out that sending HTTP\1.0 back to the client (Windows Terminal Server Gateway client) causes it to drop the connections itself. I thought it was Squid dropping the connections originally but that turned out not to be the case. It was only when I worked around the HTTPS encryption that I could actually monitor the contents of the packets and see what was going on.

So as far as I can see there is no other fix apart from my patch to not modifying the HTTP version in the response sent back to the client. I'm quite happily connected through my Terminal Server Gateway now without any problems at all, but from what you have said it would seem that I'm just lucky that that RPC protocol for TSG doesn't use any unsupported (by squid) HTTP/1.1 features, and that my patch is likely to introduce other problems in other protocols...
 
Bring on squid 3.2.0 and full HTTP/1.1 support, I guess :)

Thanks

James
Received on Tue Jun 12 2012 - 07:17:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 12:00:03 MDT