You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2002/10/03 07:54:59 UTC
Re: mod_proxy support for exchange 2000
Robin P. Blanchard wrote:
> In effort to build up a reverse proxy for Exchange 2000, I've determined:
>
> 1) using 1.3.26 or 1.3.28dev (CVS from a few minutes ago)
> a. IE clients fail IIS's auth challenge
> b. if those clients are sent first through squid, auth succeeds.
> c. mozilla, netscape 4x, clients succeed.
From the responses you have given I am not sure exactly what they
represent.
What I need to see to make head or tail of this is two set of headers:
The first needs to show the transaction from the browser to the reverse
proxy. The second needs to show the reverse proxy to the backend server.
What will also be useful is to add a set of traces for mozilla so I can
see what happens in the working case.
Use a tool like tcpflow on the reverse proxy to get these two traces.
In order to debug this, I need to be able to compare the headers sent
to/from the browser with the headers sent to/from the backend server to
see what has changed.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: mod_proxy support for exchange 2000
Posted by "Robin P. Blanchard" <ro...@georgiacenter.org>.
>>>the files are really large and hard to read;
>>>probably it would really be better using tcpdump -W (output file) on the
>>>server side when the response is coming in. This output file can easily
>>>be read with Ethereal (Menu Tool, "Follow TCP/IP Stream") or any other
>>>tcpdump wrapper.i.t@ithum.de
ok...
ftp://ftp.wuga.org/pub/reverse_proxy.tar.gz
reverse_proxy/tcpflow/1.3.26/ie
reverse_proxy/tcpflow/1.3.24/
reverse_proxy/tcpflow/1.3.24/ie
reverse_proxy/tcpdump/
reverse_proxy/tcpdump/1.3.26/
reverse_proxy/tcpdump/1.3.26/ie
reverse_proxy/tcpdump/2.0.42/
reverse_proxy/tcpdump/2.0.42/ie
reverse_proxy/tcpdump/1.3.24/
reverse_proxy/tcpdump/1.3.24/ie
tcpflows taken with:
# tcpflow -c \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \) > ie
tcpdumps taken with:
# tcpdump -w ie \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \)
current IE status:
1) 2.0.42: success
2) 1.3.26: auth failure
3) 1.3.24: auth sucess, inbox contents fail to display
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
Re: mod_proxy support for exchange 2000
Posted by "Robin P. Blanchard" <ro...@georgiacenter.org>.
>>>the files are really large and hard to read;
>>>probably it would really be better using tcpdump -W (output file) on the
>>>server side when the response is coming in. This output file can easily
>>>be read with Ethereal (Menu Tool, "Follow TCP/IP Stream") or any other
>>>tcpdump wrapper.i.t@ithum.de
ok...
ftp://ftp.wuga.org/pub/reverse_proxy.tar.gz
reverse_proxy/tcpflow/1.3.26/ie
reverse_proxy/tcpflow/1.3.24/
reverse_proxy/tcpflow/1.3.24/ie
reverse_proxy/tcpdump/
reverse_proxy/tcpdump/1.3.26/
reverse_proxy/tcpdump/1.3.26/ie
reverse_proxy/tcpdump/2.0.42/
reverse_proxy/tcpdump/2.0.42/ie
reverse_proxy/tcpdump/1.3.24/
reverse_proxy/tcpdump/1.3.24/ie
tcpflows taken with:
# tcpflow -c \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \) > ie
tcpdumps taken with:
# tcpdump -w ie \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \)
current IE status:
1) 2.0.42: success
2) 1.3.26: auth failure
3) 1.3.24: auth sucess, inbox contents fail to display
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
Re: mod_proxy support for exchange 2000
Posted by "i.t" <i....@ithum.de>.
> the flows should now show both directions (into reverse proxy and into
> IIS). the flows (for 1.3.26 and 2.0.42) are limited to the initial auth.
I do not see flows from apache;
the files are really large and hard to read;
probably it would really be better using tcpdump -W (output file) on the
server side when the response is coming in. This output file can easily be
read with Ethereal (Menu Tool, "Follow TCP/IP Stream") or any other tcpdump
wrapper.
i.t
--
. ___
| | Irmund Thum
| |
Re: mod_proxy support for exchange 2000
Posted by "Robin P. Blanchard" <ro...@georgiacenter.org>.
ftp://ftp.wuga.org/pub/tcpflow.tar.gz
tcpflow/
tcpflow/2.0.42/
tcpflow/2.0.42/ie
tcpflow/1.3.26/
tcpflow/1.3.26/mozilla
tcpflow/1.3.26/ie1
tcpflow/1.3.24/
tcpflow/1.3.24/ie
the flows should now show both directions (into reverse proxy and into
IIS). the flows (for 1.3.26 and 2.0.42) are limited to the initial auth.
> I can only see flows from the browser to apache, but not from apache to
> exchange. I need to see both sides of the connection to see what is
> changed on the way through the proxy.
>
> Also the flows are very big - can you restrict it to just a single
> request (or set of requests) that pass and/or fail...?
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
Re: mod_proxy support for exchange 2000
Posted by "Robin P. Blanchard" <ro...@georgiacenter.org>.
ftp://ftp.wuga.org/pub/tcpflow.tar.gz
tcpflow/
tcpflow/2.0.42/
tcpflow/2.0.42/ie
tcpflow/1.3.26/
tcpflow/1.3.26/mozilla
tcpflow/1.3.26/ie1
tcpflow/1.3.24/
tcpflow/1.3.24/ie
the flows should now show both directions (into reverse proxy and into
IIS). the flows (for 1.3.26 and 2.0.42) are limited to the initial auth.
> I can only see flows from the browser to apache, but not from apache to
> exchange. I need to see both sides of the connection to see what is
> changed on the way through the proxy.
>
> Also the flows are very big - can you restrict it to just a single
> request (or set of requests) that pass and/or fail...?
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
RE : mod_proxy support for exchange 2000
Posted by Matthieu Estrade <es...@ifrance.com>.
Hi,
I had this problem (proxying Exchange) few month ago, when apache 2.0
was just released...
I was unable with apache 1.3 to proxy my OWA (outlook web access).
When i sniffed the connection, i saw that for the login/pass process,
Exchange was sending a 401 until he found a valid authentification
method.
In text authentification, apache 1.3 was able to transmit authentication
to exchange, from client on netscape and ie.
But with the NTLM authentification, it was impossible to do.
Why:
When the proxy transmit the first authentification method, if it's
refused by exchange, proxy receive 401 and close connection btw backend
and proxy, but let the client - proxy connection openned.
So when the client send his second authentification method check, the
proxy is unable to transmit the request to backend because the
connection is closed after the first try.
The solution we took here is to use Apache 2.0 which do HTTP/1.1 proxy
So with apache 2.0, the backend - proxy connection is kept alive and all
the authentication method can be checked.
It's now working really well and we reverse proxy Exchange.
I hope this will help you
Regards,
Estrade Matthieu
-----Message d'origine-----
De : Graham Leggett [mailto:minfrin@sharp.fm]
Envoyé : jeudi 3 octobre 2002 15:56
À : modproxy-dev@apache.org
Cc : dev@httpd.apache.org
Objet : Re: mod_proxy support for exchange 2000
Robin P. Blanchard wrote:
> attached is tcpflow.tar.gz, containing:
> tcpflow/
> tcpflow/2.0.42/
> tcpflow/2.0.42/mozilla
> tcpflow/2.0.42/ie
> tcpflow/1.3.26/
> tcpflow/1.3.26/ie
> tcpflow/1.3.26/mozilla
I can only see flows from the browser to apache, but not from apache to
exchange. I need to see both sides of the connection to see what is
changed on the way through the proxy.
Also the flows are very big - can you restrict it to just a single
request (or set of requests) that pass and/or fail...?
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
______________________________________________________________________
Etudiant: Wanadoo t'offre le Pack eXtense Haut Débit soit 150,92 euros
d'économies ! Clique ici : http://www.ifrance.com/_reloc/mail.etudiant
______________________________________________________________________
Etudiant: Wanadoo t'offre le Pack eXtense Haut Débit soit 150,92 euros
d'économies ! Clique ici : http://www.ifrance.com/_reloc/mail.etudiant
Re: mod_proxy support for exchange 2000
Posted by Graham Leggett <mi...@sharp.fm>.
Robin P. Blanchard wrote:
> attached is tcpflow.tar.gz, containing:
> tcpflow/
> tcpflow/2.0.42/
> tcpflow/2.0.42/mozilla
> tcpflow/2.0.42/ie
> tcpflow/1.3.26/
> tcpflow/1.3.26/ie
> tcpflow/1.3.26/mozilla
I can only see flows from the browser to apache, but not from apache to
exchange. I need to see both sides of the connection to see what is
changed on the way through the proxy.
Also the flows are very big - can you restrict it to just a single
request (or set of requests) that pass and/or fail...?
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: mod_proxy support for exchange 2000
Posted by Graham Leggett <mi...@sharp.fm>.
Robin P. Blanchard wrote:
> attached is tcpflow.tar.gz, containing:
> tcpflow/
> tcpflow/2.0.42/
> tcpflow/2.0.42/mozilla
> tcpflow/2.0.42/ie
> tcpflow/1.3.26/
> tcpflow/1.3.26/ie
> tcpflow/1.3.26/mozilla
I can only see flows from the browser to apache, but not from apache to
exchange. I need to see both sides of the connection to see what is
changed on the way through the proxy.
Also the flows are very big - can you restrict it to just a single
request (or set of requests) that pass and/or fail...?
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: mod_proxy support for exchange 2000
Posted by Graham Leggett <mi...@sharp.fm>.
Robin P. Blanchard wrote:
> attached is tcpflow.tar.gz, containing:
You forgot the attachment...
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: mod_proxy support for exchange 2000
Posted by Graham Leggett <mi...@sharp.fm>.
Robin P. Blanchard wrote:
> attached is tcpflow.tar.gz, containing:
You forgot the attachment...
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: mod_proxy support for exchange 2000
Posted by "Robin P. Blanchard" <ro...@georgiacenter.org>.
>>What I need to see to make head or tail of this is two set of headers:
>>The first needs to show the transaction from the browser to the reverse
>>proxy. The second needs to show the reverse proxy to the backend server.
>>
>>Use a tool like tcpflow on the reverse proxy to get these two traces.
attached is tcpflow.tar.gz, containing:
tcpflow/
tcpflow/2.0.42/
tcpflow/2.0.42/mozilla
tcpflow/2.0.42/ie
tcpflow/1.3.26/
tcpflow/1.3.26/ie
tcpflow/1.3.26/mozilla
which (hopefully) will demonstrate IE's inability to login using the
1.3.26 reverse proxy.
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------