Re: Apache Reverse Proxy and NTLM Authentication Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM module I have right now is "event", which seems to be default for modern OSs. It seems like in 2.4 I can load different MPM modules at run time, and don't have to recompile apache. Do you agree? If yes, can I switch back and forth between prefork and event easily, or do I need to plan for anything (other than MPM prefork using more resources, is it going to corrupt any other dependencies?), as this is in production, and am using this in conjunction with mod security.

Deanna

On Thu, Nov 9, 2017 at 3:07 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
Hi Deanna,

On Thu, Nov 9, 2017 at 6:24 PM, Deanna Stevenson <dstevensone@xxxxxxxxx> wrote:
>
> After researching it turned out to be related with maintaining persistent
> connections.

For NTLM to work through a reverse proxy, client connections need to
be associated with backend ones (1:1), that is the proxy must (re)use
the same backend connection for the requests arriving on the same
client connection (NTLM authenticates connections, not requests...).

> So, I added "KeepAlive On" to the virtual hosts config file,
> but this doesn't seem to have helped.
>
> I see many posts talking about these issues, but nothing recent. Could
> anybody please help/advise?

The only way (I'm aware of) to let NTLM pass through Apache httpd is
to use MPM prefork, to indeed set "KeepAlive on" (globally), and
finally to add "SetEnv proxy-initial-not-pooled" in the reverse proxy
VirtualHost (if any, otherwise globally).

There were patches proposed to make it work with other MPMs, but they
are not up to date (while the above should work with vanilla httpd).


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux