HAProxy + Squid + NTLM = Not Working! Help!


#1

Hello Sharks,

I have the folow scenario:

[ Client ] ----------> [ HaProxy ] ----------> [ Squid1 ] or [ Squid2 ]

Using NTLM Authentication in both Squid. All workin fine excepts by INTERNET EXPLORER.

In Chrome is OK. In Firefox is OK. But the Internet Explorer (11) show always the prompt for credentials ever.

Anyone can help me?

Below my haproxy.cfg
defaults
mode http
option httplog
option dontlognull
option forwardfor except 127.0.0.1/8# Necessario para logar o IP do cliente
option redispatch
retries 7
timeout http-request 10s
timeout queue 1m
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout check 10s
frontend squid_frontend
bind *:3128
default_backend squid_backend
option prefer-last-server
option http-keep-alive # Necessario para o NTLM
option forwardfor
backend squid_backend
option prefer-last-server # NTLM
option http-keep-alive # Necessario para o NTLM
server squid126 172.19.0.126:3128 check
server squid127 172.19.0.127:3128 check
server squid128 172.19.0.128:3128 check
balance source

Thanks!


#2

I think Chrome and Firefox may not actually do NTLM and fallback to basic authentication.

For NTLM, I would generally recommend tunnel mode (“option http-tunnel”), with a long enough “timeout tunnel”.

With http-keep-alive mode, use a longer keep-alive timeout (timeout http-keep-alive), see if that helps, but, like I said, I would use tunnel mode.


#3

Thanks @lukastribus,

This works fine … with tunnel mode …

But on the server squid the log show the IP of Haproxy instead the Client IP

How I fix this? How the Haproxy send and the Squid receive the real Client IP instead the HaProxy IP?


#4

That doesn’t work in tunnel mode (only the first request will have the IP).
In Squid >= 3.5 you could use the PROXY protocol, this would solve your issue.

Otherwise go back to keep-alive mode, but use a high “timeout http-keep-alive” setting, like a few minutes. That should improve the situation (but NTLM is and always will be a mess).


#5

@lukastribus, thank you again … you are the man …

Yes, my Squid is 3.5, but how works the PROXY Protocol? Do you have a example of configuration in squid.conf that fix this issue and show the real ip? The Proxy protocol is in Squid side or Haproxy side?

I try this in haproxy.cfg:

server squid126 172.19.0.126:3128 check send-proxy
and
server squid126 172.19.0.126:3128 check send-proxy-v2

but doesn’t work … the internet on client don’t work …


#6

I quickly searched through squid documentation. If I understand correctly, for x-forwarded-for to work, you currently specify the follow_x_forwarded_for directive, allowing the haproxy IP. You would need to do the same by using the proxy_protocol_access directive:

http://www.squid-cache.org/Versions/v3/3.5/cfgman/proxy_protocol_access.html

Also you may need to add the “require-proxy-header” argument in your http_port directive:
http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html


#7

Dear @lukastribus,

I follow your suggest and All Works …

In haproxy I put:
server squid126 172.19.0.126:3128 check send-proxy

In Squid.conf I put:
acl haproxyip src 172.19.0.121
proxy_protocol_access allow haproxyip
http_port 172.19.0.126:3128 require-proxy-header
via on
follow_x_forwarded_for allow all # Necessario para passar o IP do Cliente no haproxy
request_header_access X-Forwarded-For allow all
request_header_access Allow allow all
forwarded_for on

And works fine … Thank’s for your support!


#8

Great, thanks for confirming.

FYI:

This is probably a security issue. Everybody can specify any IP Address in x-forwarded-for and squid will log that one. Now that you are using PROXY, you can remove this option altogether. If you would still be using x-forwarded-for, you would have to set this to the haproxy IP, instead of “allow all” for that reason.


#9

Another issue …

When I’m logged on domain (therefore NTLM) the Internet is work fine … but when I access on PC that is not logged in domain (therefore not NTLM) the access is denied, and the internet doesn’t work …


#10

And what would be expected behavior in the non-NTLM case? Does it work without haproxy?


#11

That the internet works with manual proxy configuration. In the same scenario without HaProxy works fine.


#12

Any logs in hapoxy about the failed request?


#13

On Squid the LOG says:

TCP_DENIED/407 4219 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html


#14

Did it work when NOT using PROXY? If yes, then this could be a bug in squid.


#15

No. This error is after change the squid and haproxy to use “proxy protocol”.


#16

It seems that haproxy does not pass the user and password to squid with the proxy protocol enabled. With the proxy protocol enabled the machines logged in the domain work well, but those that are not in the domain, is asking for the authentication screen all the time.


#17

No, haproxy doesn’t even look at the request anymore. This seems like a squid bug to me.


#18

On my Squid, there are two steps of authentication:

1 - NTLM

Then

2 - Basic


#19

@gianfcn I have the same problem with the same settings, but in my case, I have two diferents clusters, with the same settings. In our enviroment with squid 3.5.13 and haproxy 1.5.18 works fine, but in the other enviroment with squid 3-5.25 and haproxy 1.5.18, the NTLM authentication only works if at first you request a https URL.