You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Deanna Stevenson <ds...@gmail.com> on 2017/11/09 17:24:55 UTC
[users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Hello,
I am using apache 2.4.8 on a ubuntu 16.04 LTS. I am using apache as a
reverse proxy. I have a website that is using NTLM authentication.
The traffic seems to be proxied right as I get the authentication popup
window, but the window keeps popping up even after supplying correct
credentials.
After researching it turned out to be related with maintaining persistent
connections. So, I added "KeepAlive On" to the virtual hosts config file,
but this doesn't seem to have helped.
I see many posts talking about these issues, but nothing recent. Could
anybody please help/advise?
Appreciate your help!
Deanna
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Deanna Stevenson <ds...@gmail.com>.
Yes, its the backend server that is doing the authentication. I see 401
errors - Unauthorized: Access is denied due to invalid credentials
Here are reference posts with similar problems, to give you some
understanding of my problem. The last one has lot of details, and
explains "Tying
authentication to a connection" I think.
https://sourceforge.net/p/mod-security/mailman/message/10663229/
https://serverfault.com/questions/167046/apache-reverse-proxy-server-and-ssl-ntlm-sharepoint
https://lists.gt.net/apache/users/451692
On Thu, Nov 9, 2017 at 11:04 AM, Nick Kew <ni...@apache.org> wrote:
> On Thu, 2017-11-09 at 10:24 -0700, Deanna Stevenson wrote:
>
>
> > The traffic seems to be proxied right as I get the authentication
> > popup window, but the window keeps popping up even after supplying
> > correct credentials.
>
> That's the backend that's authenticating, right? What does its
> log say? Do you need proxy-chain-auth?
>
> > After researching it turned out to be related with maintaining
> > persistent connections. So, I added "KeepAlive On" to the virtual
> > hosts config file, but this doesn't seem to have helped.
>
> That doesn't look right. Tying authentication to a connection
> would be a complete violation of HTTP, and prevent it working
> in pretty-much any situation with a general-purpose browser.
>
> --
> Nick Kew
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Nick Kew <ni...@apache.org>.
On Thu, 2017-11-09 at 10:24 -0700, Deanna Stevenson wrote:
> The traffic seems to be proxied right as I get the authentication
> popup window, but the window keeps popping up even after supplying
> correct credentials.
That's the backend that's authenticating, right? What does its
log say? Do you need proxy-chain-auth?
> After researching it turned out to be related with maintaining
> persistent connections. So, I added "KeepAlive On" to the virtual
> hosts config file, but this doesn't seem to have helped.
That doesn't look right. Tying authentication to a connection
would be a complete violation of HTTP, and prevent it working
in pretty-much any situation with a general-purpose browser.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Deanna Stevenson <ds...@gmail.com>.
Thanks a lot Yann for your input. Currently we are looking into alternative
authentication methods.
I am running this alongside modsecurity, and I wanted to post Osama
Elnaggar's suggestion here, who was great enough to read my posts both here
and modsecurity list to provide a suggestion. Might help others with
similar problem.
.................
Deanna,
It's pretty clear from your emails here + on the Apache HTTP user's list
that you are trying to get mod_security + Apache reverse proxy up and
running to protect some internal web site (probably Sharepoint) that uses
NTLM/Integrated Windows Authentication. Given that, here is what I would
suggest:
Try using the prefork configuration as Yann suggested on the Apache HTTP
user's mailing list in response to your NTLM question as it looks like your
setup won't work with event or worker MPMs. Also, as this will only serve
internal users, the # of concurrent processes you'll have to run using
prefork won't be an issue if you are running this in reverse proxy mode
(I'm guessing that 500 concurrent processes will probably more than
adequately handle your requirements unless you have a ton of internal users
concurrently accessing the internal portal)
You can then stress test it / load test it using JMeter (which has support
for NTLM / Integrated Windows Authentication) with the expected # of
concurrent users you will have to see if it meets your requirements or if
you need to add memory, etc. to your reverse proxy. You may need to use
more than one machine running JMeter to get to the desired # of simulated
concurrent requests.
As for prefork vs. event or worker, both event and worker are better due to
faster context switching and smaller memory structures but I don't think
it's an option in your use case due to the NTLM requirement and you
shouldn't really have a problem as mentioned above. Also, as you will be
running a reverse proxy, you'll be running with minimal modules on your
reverse proxy anyway (make sure you don't have any non-necessary modules),
so the additional hit hopefully isn't too great (and you can minimize it by
keeping your KeepAlive timeout short).
Finally, to improve performance, make sure that the origin servers
(Sharepoint) are sending cache-control headers with long validity periods
for static content which isn’t expected to change. You can additional add
a caching tier for static content at the Apache level as well to improve
performance if needed (mod_cache, mod_file_cache, etc.). Both of these
will help you handle even more concurrent users.
..................
On Fri, Nov 10, 2017 at 5:42 AM, Yann Ylavic <yl...@gmail.com> wrote:
> Deanna,
>
> On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <ds...@gmail.com>
> wrote:
> > Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the
> MPM
> > module I have right now is "event", which seems to be default for modern
> > OSs. It seems like in 2.4 I can load different MPM modules at run time,
> and
> > don't have to recompile apache. Do you agree?
>
> Yes, no need to recompile, the loaded MPM is per configuration.
> Thus there must be two different Apache httpd instances to run
> different MPMs at the same time.
>
> > If yes, can I switch back and
> > forth between prefork and event easily,
>
> If you want a single instance, that's the one or the other for *all*
> your virtual hosts, but yes you can switch between them with a restart
> (probably not a graceful one).
>
> > or do I need to plan for anything
>
> Personnaly I'd run two separate instances, without touching the existing
> one.
> That implies a separate listening IP addresses (or a different port)
> for the new instance, though.
> The prefork instance would be isolated, with its own configuration
> file probably standalone and simpler than the whole "/etc/apache2/"
> tree for the system's instance (something like a single
> "/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
> own "LoadModule mpm_prefork_module
> /usr/lib/apache2/modules/mod_mpm_prefork.so").
> Yet the same apache2 binary (and common modules' binaries) would be
> used to run the two instances, that way they will be as usually with
> the system.
> The prefork instance would just have to be started sperately (by the
> system) with a reference to its own configuration file, the way to do
> this depends on your or ubuntu's policy though, either systemd or a
> init.d starter, your choice..
>
> > (other than MPM prefork using more resources, is it going to corrupt any
> > other dependencies?), as this is in production, and am using this in
> > conjunction with mod security.
>
> MPM prefork won't run mod_http2 for example, I think mod_security is
> fine with prefork (not sure).
> This is something very specific to your architecture and applications,
> that's why I wouldn't change something working already and just create
> a new prefork configuration from scratch (or inspired from the
> existing event one) and run it separately.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Yann Ylavic <yl...@gmail.com>.
Deanna,
On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <ds...@gmail.com> wrote:
> Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM
> module I have right now is "event", which seems to be default for modern
> OSs. It seems like in 2.4 I can load different MPM modules at run time, and
> don't have to recompile apache. Do you agree?
Yes, no need to recompile, the loaded MPM is per configuration.
Thus there must be two different Apache httpd instances to run
different MPMs at the same time.
> If yes, can I switch back and
> forth between prefork and event easily,
If you want a single instance, that's the one or the other for *all*
your virtual hosts, but yes you can switch between them with a restart
(probably not a graceful one).
> or do I need to plan for anything
Personnaly I'd run two separate instances, without touching the existing one.
That implies a separate listening IP addresses (or a different port)
for the new instance, though.
The prefork instance would be isolated, with its own configuration
file probably standalone and simpler than the whole "/etc/apache2/"
tree for the system's instance (something like a single
"/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
own "LoadModule mpm_prefork_module
/usr/lib/apache2/modules/mod_mpm_prefork.so").
Yet the same apache2 binary (and common modules' binaries) would be
used to run the two instances, that way they will be as usually with
the system.
The prefork instance would just have to be started sperately (by the
system) with a reference to its own configuration file, the way to do
this depends on your or ubuntu's policy though, either systemd or a
init.d starter, your choice..
> (other than MPM prefork using more resources, is it going to corrupt any
> other dependencies?), as this is in production, and am using this in
> conjunction with mod security.
MPM prefork won't run mod_http2 for example, I think mod_security is
fine with prefork (not sure).
This is something very specific to your architecture and applications,
that's why I wouldn't change something working already and just create
a new prefork configuration from scratch (or inspired from the
existing event one) and run it separately.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Deanna Stevenson <ds...@gmail.com>.
Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM
module I have right now is "event", which seems to be default for modern
OSs. It seems like in 2.4 I can load different MPM modules at run time, and
don't have to recompile apache. Do you agree? If yes, can I switch back and
forth between prefork and event easily, or do I need to plan for anything
(other than MPM prefork using more resources, is it going to corrupt any
other dependencies?), as this is in production, and am using this in
conjunction with mod security.
Deanna
On Thu, Nov 9, 2017 at 3:07 PM, Yann Ylavic <yl...@gmail.com> wrote:
> Hi Deanna,
>
> On Thu, Nov 9, 2017 at 6:24 PM, Deanna Stevenson <ds...@gmail.com>
> wrote:
> >
> > After researching it turned out to be related with maintaining persistent
> > connections.
>
> For NTLM to work through a reverse proxy, client connections need to
> be associated with backend ones (1:1), that is the proxy must (re)use
> the same backend connection for the requests arriving on the same
> client connection (NTLM authenticates connections, not requests...).
>
> > So, I added "KeepAlive On" to the virtual hosts config file,
> > but this doesn't seem to have helped.
> >
> > I see many posts talking about these issues, but nothing recent. Could
> > anybody please help/advise?
>
> The only way (I'm aware of) to let NTLM pass through Apache httpd is
> to use MPM prefork, to indeed set "KeepAlive on" (globally), and
> finally to add "SetEnv proxy-initial-not-pooled" in the reverse proxy
> VirtualHost (if any, otherwise globally).
>
> There were patches proposed to make it work with other MPMs, but they
> are not up to date (while the above should work with vanilla httpd).
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Deanna,
On Thu, Nov 9, 2017 at 6:24 PM, Deanna Stevenson <ds...@gmail.com> wrote:
>
> After researching it turned out to be related with maintaining persistent
> connections.
For NTLM to work through a reverse proxy, client connections need to
be associated with backend ones (1:1), that is the proxy must (re)use
the same backend connection for the requests arriving on the same
client connection (NTLM authenticates connections, not requests...).
> So, I added "KeepAlive On" to the virtual hosts config file,
> but this doesn't seem to have helped.
>
> I see many posts talking about these issues, but nothing recent. Could
> anybody please help/advise?
The only way (I'm aware of) to let NTLM pass through Apache httpd is
to use MPM prefork, to indeed set "KeepAlive on" (globally), and
finally to add "SetEnv proxy-initial-not-pooled" in the reverse proxy
VirtualHost (if any, otherwise globally).
There were patches proposed to make it work with other MPMs, but they
are not up to date (while the above should work with vanilla httpd).
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org