Re: Apache Reverse Proxy and NTLM Authentication Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks a lot Yann for your input. Currently we are looking into alternative authentication methods.

I am running this alongside modsecurity, and I wanted to post Osama Elnaggar's suggestion here, who was great enough to read my posts both here and modsecurity list to provide a suggestion. Might help others with similar problem.
.................
Deanna,

It's pretty clear from your emails here + on the Apache HTTP user's list that you are trying to get mod_security + Apache reverse proxy up and running to protect some internal web site (probably Sharepoint) that uses NTLM/Integrated Windows Authentication.  Given that, here is what I would suggest:

Try using the prefork configuration as Yann suggested on the Apache HTTP user's mailing list in response to your NTLM question as it looks like your setup won't work with event or worker MPMs.  Also, as this will only serve internal users, the # of concurrent processes you'll have to run using prefork won't be an issue if you are running this in reverse proxy mode (I'm guessing that 500 concurrent processes will probably more than adequately handle your requirements unless you have a ton of internal users concurrently accessing the internal portal)

You can then stress test it / load test it using JMeter (which has support for NTLM / Integrated Windows Authentication) with the expected # of concurrent users you will have to see if it meets your requirements or if you need to add memory, etc. to your reverse proxy.  You may need to use more than one machine running JMeter to get to the desired # of simulated concurrent requests.

As for prefork vs. event or worker, both event and worker are better due to faster context switching and smaller memory structures but I don't think it's an option in your use case due to the NTLM requirement and you shouldn't really have a problem as mentioned above.  Also, as you will be running a reverse proxy, you'll be running with minimal modules on your reverse proxy anyway (make sure you don't have any non-necessary modules), so the additional hit hopefully isn't too great (and you can minimize it by keeping your KeepAlive timeout short).

Finally, to improve performance, make sure that the origin servers (Sharepoint) are sending cache-control headers with long validity periods for static content which isn’t expected to change.  You can additional add a caching tier for static content at the Apache level as well to improve performance if needed (mod_cache, mod_file_cache, etc.).  Both of these will help you handle even more concurrent users.
..................

On Fri, Nov 10, 2017 at 5:42 AM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
Deanna,

On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <dstevensone@xxxxxxxxx> wrote:
> Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM
> module I have right now is "event", which seems to be default for modern
> OSs. It seems like in 2.4 I can load different MPM modules at run time, and
> don't have to recompile apache. Do you agree?

Yes, no need to recompile, the loaded MPM is per configuration.
Thus there must be two different Apache httpd instances to run
different MPMs at the same time.

> If yes, can I switch back and
> forth between prefork and event easily,

If you want a single instance, that's the one or the other for *all*
your virtual hosts, but yes you can switch between them with a restart
(probably not a graceful one).

> or do I need to plan for anything

Personnaly I'd run two separate instances, without touching the existing one.
That implies a separate listening IP addresses (or a different port)
for the new instance, though.
The prefork instance would be isolated, with its own configuration
file probably standalone and simpler than the whole "/etc/apache2/"
tree for the system's instance (something like a single
"/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
own "LoadModule mpm_prefork_module
/usr/lib/apache2/modules/mod_mpm_prefork.so").
Yet the same apache2 binary (and common modules' binaries) would be
used to run the two instances, that way they will be as usually with
the system.
The prefork instance would just have to be started sperately (by the
system) with a reference to its own configuration file, the way to do
this depends on your or ubuntu's policy though, either systemd or a
init.d starter, your choice..

> (other than MPM prefork using more resources, is it going to corrupt any
> other dependencies?), as this is in production, and am using this in
> conjunction with mod security.

MPM prefork won't run mod_http2 for example, I think mod_security is
fine with prefork (not sure).
This is something very specific to your architecture and applications,
that's why I wouldn't change something working already and just create
a new prefork configuration from scratch (or inspired from the
existing event one) and run it separately.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux