You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Devi Krishna <de...@gmail.com> on 2007/02/23 22:25:40 UTC
Regarding NTLM for mod_proxy
Dear Apache Gurus
I am trying to get mod_proxy_http to work in pass through mode for NTLM
authentication. I see that in apache proxy we dont keep the backend
connection persistant. This causes NTLM to fail because on receiving type2
message from client, the proxy forwards this to the Origin Server using a
new connection. This causes the NTLM authentication to fail
Could you advice as to how to approach this issue. I see that we create
the "backend" variable each time proxy_http_handler.
Additionally I took a look at using ProxyPass directive using which as per
the document we can set keepalive. But it seems that helps map a
particular request uri path to the outgoing proxy. In my case the mod_proxy
should just proxy all request to the actual Origin Server
I am not sure how we can give that. Any inputs you could provide would be of
great help!
Thanks & Regards
Devi
Re: Regarding NTLM for mod_proxy
Posted by Devi Krishna <de...@gmail.com>.
Hi William
Thanks for the quick response. I guess you meant "Apache cannot route
requess from multiple clients to same proxy...." .
Would this mean that providing this support in apache proxy would not be
trivial work ? Or is it just the fact that this is not safe and hence this
support is not provided ?
In our scenario we need this kind of support, so was planning to fix this.
Kindly advice on how much do you think would be the work load. I am just
getting familiar with the mod_proxy code
Thanks & Regards
Devi
On 2/23/07, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>
> Devi Krishna wrote:
> >
> > I am trying to get mod_proxy_http to work in pass through mode for NTLM
> > authentication. I see that in apache proxy we dont keep the backend
> > connection persistant. This causes NTLM to fail because on receiving
> > type2 message from client, the proxy forwards this to the Origin Server
> > using a new connection. This causes the NTLM authentication to fail
>
> Turn off keepalives. Because Apache can now route requests from multiple
> clients to the same proxy connection, the combination is lethal.
>
> NTLM/SSPI is connection-oriented, in violation of HTTP, rendering it
> either unproxy-able or at least unsafe to retain/share connections.
>
Re: Regarding NTLM for mod_proxy
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Devi Krishna wrote:
>
> I am trying to get mod_proxy_http to work in pass through mode for NTLM
> authentication. I see that in apache proxy we dont keep the backend
> connection persistant. This causes NTLM to fail because on receiving
> type2 message from client, the proxy forwards this to the Origin Server
> using a new connection. This causes the NTLM authentication to fail
Turn off keepalives. Because Apache can now route requests from multiple
clients to the same proxy connection, the combination is lethal.
NTLM/SSPI is connection-oriented, in violation of HTTP, rendering it
either unproxy-able or at least unsafe to retain/share connections.