Re: Aw: Re: [squid-users] Kerberos / Authentication / squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 28 Nov 2013 23:44:09 +1300

On 28/11/2013 10:42 p.m., Berthold Zettler wrote:
> Hi Madhav,
>
>
>
> all relevant a systems (AD-Controllers and the clients (Windows 7)) have a value for "MaxTokenSize" of 65535.
>
> Therefore i don't think, that this failure was caused by AD- or client settings.
>
> The tokensize (27332) reported by the MS tokensz.exe tool is far below this value.
> Our other kerberized systems (Apaches) are working fine with this large tokensize.
>
> So i think it's a squid / buffer or kerberos-helper related issue

That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the
Squid buffer and helper buffer and the base-64 encoded version of the
token needs to fit inside it along with the 3-5 helper protocol bytes.

A bigger problem is the Squid network I/O parsing. The buffer holding
HTTP headers also has a default maximum length of 64KB ... for the
entire HTTP header block.
  http://www.squid-cache.org/Doc/config/request_header_max_size/
  http://www.squid-cache.org/Doc/config/reply_header_max_size/

If you need to you can bump those up to around 256KB before you start to
hit other limits in the primary I/O buffer itself.

PS. you should also look to the library Squid is using. It may have
limits or problems of its own separate from the Apache systems library.

PPS. The IETF HTTPbis WG did an analysis of many software a while back
and concluded that the maximum generlly acceptible HTTP header length
was 4KB. Squid with its 64KB limit is one of the more accepting out
there. So be careful of *any* other software involved with that traffic.

Amos
Received on Thu Nov 28 2013 - 10:44:18 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST