Doing what you describe works as a bandaid provided you also disable the pipelined request prefetching.. Your change makes it very likely that the same server connection will be reused for the duration of the client connection, and very unlikely the server connection will ever be used for another client connection, almost providing end-to-end HTTP state.
To be done proberly a tighter relation between the client and server connection is required when detecting NTLM or NEGOTIATE authenticate "packets" from the client in the HTTP request headers, forcing Squid to use the same server connection for all requests in the duration of the client connection. You are welcome to join squid-dev to discuss this in more detail if you like. <url:http://www.squid-cache.org/mailing-lists.html#squid-dev> Regards Henrik On Sunday 02 March 2003 04.49, Gary Price \(ICT\) wrote: > I wanted to be able to transparently proxy Windows Integrated > Authentication. I made a small change to squid that seems to let it > work. I altered the hash key used for the persistent server > connection list so it includes the IP and port of the client, as > well as the host name and port of the origin server. So when a > lookup is done for an idle file descriptor to use to connect to an > origin server, only a FD that has previously been used for a > connection from the same client port will be used. Before I made > this change, in my test setup using IIS with Integrated Windows > Authentication, I was getting multiple popups while trying to use > Outlook Web Access and also my test web server. After making the > change, I got only one popup per session as hoped. > > I don't understand why this seems to work, as the documentation, > including from Microsoft says that the authentication method > requires end-to-end HTTP state, and this change is not sufficient > to guarantee that. Perhaps others could try this and report on what > they find. Contact me directly for the source code I used. > > Gary Price > Intelligent Compression Technologies
