Re: Persistent proxied connections with Apache 2.4.x?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I must be doing a lot of "praying", because so far I am not able to cause a problem, at least trying to run 3 different clients.  I don't think that I can actually get the NTLM authentications to occur simultaneously, but I'm pretty sure the sessions are simulataneous, at least part of the time, but even then, the pages seem for all 3 browsers seem to be appearing correctly :(...

Jim


--------------------------------------------
On Mon, 10/26/15, o haya <ohaya@xxxxxxxxx.INVALID> wrote:

 Subject: Re:  Persistent proxied connections with Apache 2.4.x?
 To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>
 Cc: "O. Haya" <ohaya@xxxxxxxxx>
 Date: Monday, October 26, 2015, 8:57 PM
 
 Hi Yann,
 
 Thank you for responding (with
 lots of info!).  
 
 First of
 all, I have to apologize for top-posting.  I am using Yahoo
 mail, and it doesn't seem to allow quoted responses,
 which makes things kind of difficult (i.e., very difficult
 to intersperse comments since they don't mark the quoted
 email).
 
 
 First of all, as a kind of an aside remark
 (sorry for the "pun" :)), from my testing, it
 appears that if I have "ProxySet keepalive=On"
 inside a <Proxy>....</Proxy>, then the requests
 to the backend all have "Connection: Keep-Alive"
 in the requests headers going to the backend server (a
 SharePoint server).  Conversely if "ProxySet
 keepalive=Off" is inside the
 <Proxy>...</Proxy>, the HTTP requests to the
 backend have HTTP request header "Connection:
 closed".  In other words, the "ProxySet
 keepalive=On/Off" appears to be able to control whether
 a "Connection: keep-alive" vs. "Connection:
 closed" gets sent in a HTP request header to the
 backend.
 
 I am NOT trying to
 dispute what you said about the "ProxySet" being
 only about "TCP keepalive", but just letting you
 know what I was seeing during testing and also maybe I'm
 misunderstanding what you meant when you were saying
 "TCP keepalive" vs. "HTTP keepalive"?
 
 
 Next:  I
 think I kind of understood about the
 proxy-initial-not-pooled setting ==> a new connection
 from the client always connected to the backend via a new
 Apache-to-backend connection, but I didn't realize that
 NTLM meant that all the requests SUBSEQUENT to the NTLM
 authentication had to ALSO go to the backend via the SAME
 connection.  
 
 Is my
 interpretation of what you said correct?
 
 
 I have only been testing one
 client test at-a-time so far, so probably that was why my
 testing so far with proxy-initial-not-pooled and NTLM
 worked, i.e., if there had been multiple clients all
 authenticating and going to the same SharePoint server, and
 if I'm understanding what you were saying about the
 requests going over the same connection that was used for
 the NTLM authentication, my testing would probably have
 failed.  
 
 Is that
 correct?
 
 
 Now, I am really glad I asked about this (and
 that Eric referred me to your "aside connection"
 discussion).  I will have to raise this with my colleagues,
 as it appears that the "proxy-initial-not-pooled"
 setting will not work for any kind of production type
 situation?
 
 Thanks!
 
 Jim
 
 
 
 
 
 
 -----
 Original Message -----
 From: Yann Ylavic
 <ylavic.dev@xxxxxxxxx>
 To: users@xxxxxxxxxxxxxxxx;
 o haya <ohaya@xxxxxxxxx>
 Cc: 
 Sent: Monday, October 26,
 2015 6:48 PM
 Subject: Re:  Persistent
 proxied connections with Apache 2.4.x?
 
 Hi Jim,
 
 sorry
 for the late, I'm not much online these days.
 
 On Sun, Oct 25, 2015 at 9:54
 PM, o haya <ohaya@xxxxxxxxx.invalid>
 wrote:
 >
 > - With
 respect to proxying NTLM authentication, does the
 "aside connections"
 >
 functionality that was mentioned earlier accomplish the same
 thing as using
 > the "Proxy
 keepalive=On and SetEnv proxy-initial-not-pooled"?
 
 Shortly, no.
 
 "ProxySet
 keepalive=On" is about TCP keepalive (system probes
 to
 prevent long living TCP connections from
 being dropped by gateways,
 i.e. the
 socket's SO_KEEPALIVE option), and has nothing to do
 with
 HTTP keepalive (multiple HTTP requests
 sent on the same connection).
 Actually, HTTP
 keepalive is the default for mod_proxy_http, provided
 the backend is "declared" with either
 a ProxyPass line or a <Proxy>
 block
 (as opposed to eg. a RewriteRule [P]), so you don't need
 to
 configure anything special to get it
 (whereas on the contrary
 "ProxySet
 disablereuse=on" can be used to disable HTTP keeplive
 on the
 backend side).
 
 "SetEnv proxy-initial-not-pooled" is
 unfortunately not fully helpful for NTLM.
 It
 allows to always create a new connection to the backend for
 any new
 connection from the client, or said
 differently, it prevents an
 established
 backend connection (kept alive) from being reused in this
 case (see [*] below for the real goal of
 proxy-initial-not-pooled).
 But this gives no
 garanty on subsequent requests on the same
 connection, or worse, subsequent requests on
 another connection...
 Those may reuse any
 established connection in the pool, or a new
 connection, depending on the first one
 available at the time of each
 incoming
 request.
 In other words, mod_proxy_http
 handles a pool of connections for each
 "declared" backend
 independently/regardless of client-side connections
 or requests (basically it's a n client
 connections multiplexor over m
 backend
 connections), because the HTTP protocol *is* stateless.
 And that breaks NTLM because this protocol
 really authenticates
 connections, not
 requests, assuming there is one single user per
 connection (sigh)...
 
 >
 > - If not, what are
 the differences?
 
 So for a
 proxy to "work" with NTLM, it must associate a
 single client
 connection with a single one
 on the/each backend side, and pray for
 any
 gateway before it to do the same (yes, proxying NTLM may
 be
 hazardous, one single multiplexor on the
 route and things get messed
 up)!
 That's what the "aside
 connections" patch does, it can create
 connections aside from the backend pool (based
 on the "proxy-aside-c"
 environment
 variable, settable with SetEnv[If] or a RewriteRule, eg.
 when "RewriteCond %{HTTP:Authorization}
 ^NTLM"), and maintain them by
 client
 connection so that all the requests on this connection
 (setting
 the env var) will be routed to
 their associated backend connection.
 
 However I don't recall all the details of
 the patch proposed in 2014,
 I think I have a
 simpler/more-to-the-point one now (the previous one
 was meant to be generic enough to be accepted
 in httpd, which did not
 happen), so let me
 have a look when back home and attach it here.
 
 Regards,
 Yann.
 
 
 [*] The goal of proxy-initial-not-pooled is to
 help recover from a
 race-condition error
 where the proxy sends its request to the backend
 while the latter is in the process of closing
 the connection
 (keepalive timeout or
 whatever). This results in an error (502) being
 returned to the client, but while the client
 "expects" this error on
 kept alive
 connections (because of the same possible race condition
 on
 its side) and can then resend the same
 request, it will not do this
 for newly
 established connections, and hence
 proxy-initial-not-pooled
 prevents this error
 from being fatal for the "user experience" by
 avoiding the race on the backend side when the
 user-agent does not
 expect it.
 
 
 ---------------------------------------------------------------------
 To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
 
 ---------------------------------------------------------------------
 To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
 
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux