You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dmitry Butskoy <bu...@odusz.so-cdu.ru> on 2006/08/03 16:39:37 UTC

mod_proxy and "Proxy-Connection: keep-alive" under HTTP/1.0

Hi,

I'm use "mod_auth_ntlm_winbind" module, which provides support for NTLM 
and Negotiate authentications throw the Samba's "ntlm_auth" utility. 
(The same way Squid does NTLM now).

All works fine -- both for normal and proxy auth, except one little 
issue with the proxy auth.

The NTLM/Negotiate auth requires some "handshaking" -- i.e., several 
repeates of the initial http command with various auth data exchange. 
All such commands must be at the same tcp session, as it is not 
stateless (unlike the Basic auth).

When a browser uses HTTP/1.1 for proxy, it provides "the same tcp 
session", and all is OK. (Mozilla/Firefox use HTTP/1.1 as default, IE 
can be switched to use 1.1 too.)

Unfortunately Internet Explorer since the version 6 uses "HTTP/1.0" for 
secure web connections (https). I.e,, instead of "CONNECT some_host:443 
HTTP/1.1" it uses:
"CONNECT some_host:443 HTTP/1.0" .
As there is no accompanied "Connection: keep-alive" header, Apache 
interpretes such as nokeepalive, and close tcp session after the first 
CONNECT immediately. Therefore the auth handshaking is break...
As a result, people under IE cannot use proxy to connect to any "https" 
site.

I've found that most browsers (Mozilla, IE) send also "Proxy-Connection: 
keep-alive" header. IE6 sends it too when uses "CONNECTION ... 
HTTP/1.0". This header is similar to ordinary "Connection: keep-alive" 
header, which alters the behaviour of (normally connection-close) HTTP/1.0 .

It seems to me that it is Apache issue. Apache ignores 
"Proxy-Connection" now at all, but IMHO should handle it properly. (Some 
needed code seems to be added to 
modules/http/http_protocol.c:ap_set_keepalive() function).

Note, that any "negotiate-like auth" module are affected now (perhaps 
"mod_auth_krb5" too), not mod_auth_ntlm_winbind only.


The code for mod_auth_ntlm_auth can be found there:
ftp://ftp.samba.org/pub/unpacked/lorikeet/mod_ntlm_winbind  or 
svn://svnanon.samba.org/lorikeet/trunk/mod_ntlm_winbind
There is pending/reviewed package to be included into Fedora Extras:
http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060510-2.src.rpm
 
IMHO mod_auth_ntlm_winbind module allows to use Apache in environments 
where the Windows authentication (NT or AD w2k) are strongly required. 
Such a way instead of switching to IIS, some users might continue to use 
Apache...

I hope it is some kind of an "easy fix" issue.

Any comments?


Regards,
Dmitry Butskoy,
       Fedora Extras/Livna contributor,
       Red Hat Certified Engineer 809003662809495

Re: mod_proxy and "Proxy-Connection: keep-alive" under HTTP/1.0

Posted by Dmitry Butskoy <bu...@odusz.so-cdu.ru>.

Brian Rectanus wrote:

> On 8/3/06, Dmitry Butskoy <bu...@odusz.so-cdu.ru> wrote:
>
>> I've found that most browsers (Mozilla, IE) send also "Proxy-Connection:
>> keep-alive" header. IE6 sends it too when uses "CONNECTION ...
>> HTTP/1.0". This header is similar to ordinary "Connection: keep-alive"
>> header, which alters the behaviour of (normally connection-close) 
>> HTTP/1.0 .
>>
>> It seems to me that it is Apache issue. Apache ignores
>> "Proxy-Connection" now at all, but IMHO should handle it properly. (Some
>> needed code seems to be added to
>> modules/http/http_protocol.c:ap_set_keepalive() function).
>>
>> I hope it is some kind of an "easy fix" issue.
>
>
> Dmitry,
>
> Have you tried something like this (untested, but you
> get the idea)?
>
> SetEnvIf ^Proxy-Connection$ (.*) CONN_HEADER=$1
> RequestHeader unset Connection
> RequestHeader add Connection "${CONN_HEADER}e"
>
> -B
>
>
Well,
I've already written a patch for mod_auth_ntlm_winbind (included in my 
.src.rpm above), which does the similar thing:

+    if (r->method_number == M_CONNECT &&
+       r->proto_num == HTTP_VERSION(1,0) &&
+       !apr_table_get(r->headers_in, "Connection") &&
+       ap_find_token(r->pool,
+                   apr_table_get(r->headers_in, "Proxy-Connection"),
+                   "keep-alive") != 0
+    ) {
+       apr_table_mergen(r->headers_in, "Connection", "keep-alive");
+    }

After this patch all works OK.
(IMHO it is a little bit incorrect, but IE6 eats this silently.

Regards,
Dmitry Butskoy

Re: mod_proxy and "Proxy-Connection: keep-alive" under HTTP/1.0

Posted by Brian Rectanus <br...@gmail.com>.

On 8/3/06, Dmitry Butskoy <bu...@odusz.so-cdu.ru> wrote:
> I've found that most browsers (Mozilla, IE) send also "Proxy-Connection:
> keep-alive" header. IE6 sends it too when uses "CONNECTION ...
> HTTP/1.0". This header is similar to ordinary "Connection: keep-alive"
> header, which alters the behaviour of (normally connection-close) HTTP/1.0 .
>
> It seems to me that it is Apache issue. Apache ignores
> "Proxy-Connection" now at all, but IMHO should handle it properly. (Some
> needed code seems to be added to
> modules/http/http_protocol.c:ap_set_keepalive() function).
>
> I hope it is some kind of an "easy fix" issue.

Dmitry,

Have you tried something like this (untested, but you
get the idea)?

SetEnvIf ^Proxy-Connection$ (.*) CONN_HEADER=$1
RequestHeader unset Connection
RequestHeader add Connection "${CONN_HEADER}e"

-B