New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy-ntlm requires Proxy-Connection: keep-alive #954
Comments
So if you revert 113f04e from git master, it works again? |
Yes. $ curl --proxy-ntlm --proxy proxy.estest.intra:3128 --proxy-user MyDomain\ntlmtest:test -v https://example.com/file * Trying 101.102.103.104... * TCP_NODELAY set * Connected to proxy.estest.intra (101.102.103.104) port 3128 (#0) * Establish HTTP proxy tunnel to example.com:443 * Proxy auth using NTLM with user 'MyDomain\ntlmtest' > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > Proxy-Authorization: NTLM TlRMTVNTU...AAAAAAAA= > User-Agent: curl/7.50.2-DEV > Proxy-Connection: Keep-Alive > < HTTP/1.0 407 Proxy Authentication Required < Server: squid/2.7.STABLE5 < Date: Fri, 12 Aug 2016 06:06:00 GMT < Content-Type: text/html < Content-Length: 1333 < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 < Proxy-Authenticate: NTLM TlRMTVNTUAA.....QAAAAAA < X-Cache: MISS from intra.my.domain.com < X-Cache-Lookup: NONE from intra.my.domain.com:3128 < Via: 1.0 intra.my.domain.com:3128 (squid/2.7.STABLE5) < Connection: keep-alive < Proxy-Connection: keep-alive < * Ignore 1333 bytes of response-body * TUNNEL_STATE switched to: 0 * Establish HTTP proxy tunnel to example.com:443 * Proxy auth using NTLM with user 'MyDomain\ntlmtest' > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > Proxy-Authorization: NTLM TlRMTVNTU....SS1GRUpMMTM= > User-Agent: curl/7.50.2-DEV > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request |
Any idea what proxy/version this is that's causing this trouble? As mentioned in the issue, the header is deprecated and the advice is not to use... |
Well, ntlm isn't today's tech, but still used. |
Well, this isn't strictly because of NTLM as NTLM over proxy works perfectly well without this header. This problem is because of the proxy you're using is relying on this header to mean something more than what it actually does. But sure, we could limit the use of the header to NTLM only to limit the scope of the use. But again, for documentation and curiosity, do you know which proxy/version this is that causes us this problem? |
Okay, I missunderstood. curl --proxy-ntlm --proxy proxy.estest.intra:3128 --proxy-header Connection:keep-alive --proxy-user MyDomain/ntlmtest:test -v https://example.com/file * Trying 101.102.103.104... * Connected to proxy.estest.intra (101.102.103.104) port 3128 (#0) * Establish HTTP proxy tunnel to example.com:443 * Proxy auth using NTLM with user 'MyDomain/ntlmtest' > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > Proxy-Authorization: NTLM TlRMTVNT...AAAAAA= > User-Agent: curl/7.50.1 > Connection:keep-alive > < HTTP/1.0 407 Proxy Authentication Required < Server: squid/2.7.STABLE5 < Date: Fri, 12 Aug 2016 09:27:51 GMT < Content-Type: text/html < Content-Length: 1330 < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 < Proxy-Authenticate: NTLM TlRMTVNTU......gAdQAAAAAA < X-Cache: MISS from intra.my.domain.com < X-Cache-Lookup: NONE from intra.my.domain.com:3128 < Via: 1.0 intra.my.domain.com:3128 (squid/2.7.STABLE5) < Connection: keep-alive < Proxy-Connection: keep-alive < * Ignore 1330 bytes of response-body * TUNNEL_STATE switched to: 0 * Establish HTTP proxy tunnel to example.com:443 * Proxy auth using NTLM with user 'MyDomain/ntlmtest' > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > Proxy-Authorization: NTLM TlRMTVNTUAA......ISS1GRUpMMTM= > User-Agent: curl/7.50.1 > Connection:keep-alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request |
Thanks for this, should be back and functional in git master now! |
I did this
In version 7.48.0 changelog: "Proxy-Connection: stop sending this header by default"
Source issue #633
"NTLM authentication cannot be used if an intervening proxy does not support keep-alive connections." (msdn)
Without the 'Proxy-Connection' header,
--proxy-ntlm
fails.Maybe related issue: #876
curl 7.50.1 command:
I expected the following
same command with 7.47.1
command on 7.50.1. with
--proxy-header proxy-connection:keep-alive
extra optionscurl/libcurl version
The text was updated successfully, but these errors were encountered: