Strange Squid behaviour
Wondering if anyone had any insight into the following error/quirk, as google doesn't provide a suitable answer as the question is obscure.
When reading logs, or using "sarg" to process a log into statistics, it always shows traffic for 192.168.0.0 (which is the acl defined as internal lan), all traffic is denied, however it then does as should report per username (ntlm_auth -- single-sign-on)
Now, I have searched google and found nothing, but EVERY request a user makes i.e.
Implying that localhost or some obscure call makes the first request, is than denied, and then the user requests and recieves content.
192.168.0.0 d www.google.com
192.168.0.0 d www.google.co.uk
k.bridson 1 www.google.com
k.bridson 1 www.google.co.uk
"The above is show through SquidView, to monitor traffic, and every occurance of 192.168.0.0 has denied access. Yesterdays usage was around 900mb, but the line only has 5-7 trial members testing it, and 192.168.0.0 pulled almost 140mb data, I would like to hope its not repeating the data, as thats unnecessary data fetching"
Anyone have any ideas?
This is normal behaviour. NTLM is a challange/response protocol. As a result of the negotiation process between the client browser and the proxy several deny lines will be logged before they finally agree and the request succeeds.
I think that this is generally what you expect to see in proxy logs (and web logs).
Basically, when you go to get a web page, your browser doesn't know that it needs to authenticate so it asks the proxy anonymously for Google etc. The proxy then says "I need authentication to do this" and so the browser then re-submits the request with credentials.
What you generally see is that the first request is duplicated like that; subsequent requests during the same browser session don't need re-authentication.
You can watch the exchange with Wireshark if you want to know more of the gory details :-)
I see, as explained above. Very interesting indeed, never noticed it last time the machine was around.
So, I'm too guess that at a default theres going to be extra bandwidth used, when using ntlm_auth and theres not much todo about it, I suppose the fact that its only a request rather than a full page load is a bit easier.
I always assumed, browser request > squid (auth yes|no) > auth yes request page.
I think you will find that it is "ghost" bandwidth, logged but not downloaded. I can ask one of our developers though, they may know. Or Geoff will ;-P
It is a tiny amount of data - the actual amount of "waste" if you like is little more than the length of the URL (that's the bit which gets duplicated).
When you look at all the other stuff going on on a network, it's not really causing much congestion :-)