On tis, 2008-07-01 at 20:25 -0500, Luis Daniel Lucio Quiroz wrote:
> 1214974554.906 0 99.90.40.253 TCP_DENIED/407 3249 GET
> http://www.presidencia.gob.mx/imgs/edomayor_over.gif a2 NONE/- text/html
>
> if we use percistance, it works, but we can stop using of sharing usernames.
> Balancig schema is like this:
>
> user -> balancer f5 -> squid1
> \->squid2
>
> Squid is configured with LDAP-digest auth.
digest auth needs persistent sessions to work best. Without session it
will perform quite badly with many repeated 407 exchanges.
The reason to this is that digest authentication is stateful, with the
server verifying that the client responds to a challenge sent by that
server. This is part of the replay protection agains authenticated
session theft and by design in the digest authentication scheme. Each
time the client gets connected to a new proxy server the server issued
challenge needs to be renewed.
basic authentication works well with "dumb" TCP load balancing, as it's
completely stateless.
NTLM/Negotiate also works with "dumb" TCP load balancing, as it's very
stateful but at the TCP connection level, not at the HTTP message
level..
Regards
Henrik
This archive was generated by hypermail 2.2.0 : Thu Jul 03 2008 - 12:00:02 MDT