Re: [users@httpd] Apache reverse proxy and RPC and possible NTLM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Do you have to turn SSLEngine off and set SSLProxyEngine on?
 
I will do the same thing as you. I did not start yet.
 
Client on the Internet-->SSL(https)-->Apache Reverse Proxy Server-->SSL and non-SSL web sites on the Internet.
 
Please help each other.
 
Frank Peng.
 
 
-----Original Message-----
From: Pieter Vanmeerbeek <pieter.vanmeerbeek@xxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Tue, 27 Jun 2006 17:33:00 +0200
Subject: [users@httpd] Apache reverse proxy and RPC and possible NTLM

Hi,

I'm new to this list so I searched the archives first but didn't find the
solution. I'm trying to setup an OWA 2003 with an apache (2.0.53) reverse
proxy. (apparently many people on this list are doing so). This is my setup
(please note that HTTP is used in the lan).

Client on the Internet<--HTTPS-->Apache reverse proxy<---HTTP-->OWA on LAN

With my current configuration browser based owa and active sync work,
however RPC-HTTPS doesn't. I.e. it takes a very longtime (5 till 15 minutes)
to sync. Ultimately a sync is made, however this isn't usable in production.

So it seems for some reason time-outs happen.

I activated both basic and windows authentication and ssl offloading on the
IIS (alow basic authentication without http by adding a registry key). In my
outlook profile basic authentication is set. Part of the apache config is
shown below. 

I tried two other setups to check my IIS config: 

   * Using a port forwarding instead of a reverse proxy: setup works within
seconds
   * force http RPC while client is in network of IIS using windows
authentication : this also works fine
   * force httpS RPC while client is in network of IIS using basic
authentication : this also works fine ( outlook forces you to use HTTPS when
using basic authentication)

So it seems the IIS is setup correctly (only the ssl offloading isn't
tested)


Dumping traffic while using the reverse proxy and basic authentication show
RPC errors (a digit/alpha character set), however none of them are listed or
mentioned anywhere.

Surfing to https://public/rpc/rpcproxy.dll also gives an error, but
certificates are accepted fine ( added as trusted).


I'm more or less out of option on this issue. Has anyone an idea why this
won't work? 

And is it correct that NTLM (windows) authentication need a keepalive
connection to function properly? As I noticed in my dumps the keepalives are
not send while using the reverse proxy (although it is configured in the
config , see below). 

 
Perhaps a bigger question : what is needed to let NTLM work through an
apache reverse proxy?



Please find below a part of the conf part of apache .

Kind regards,
Pieter
<<<<>>>

......
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
LoadModule proxy_module       modules/mod_proxy.so
LoadModule proxy_http_module  modules/mod_proxy_http.so
LoadModule proxy_ftp_module   modules/mod_proxy_ftp.so
LoadModule ssl_module         modules/mod_ssl.so
UseCanonicalName Off
HostnameLookups Off
ServerTokens Prod
ServerSignature Off
ProxyVia Off
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

.....
<VirtualHost 195.0.83.244:443>
        SSLEngine on
        SSLCertificateFile /ub/conf/data/Appfw/owa2cert.pem
        SSLCertificateKeyFile /ub/conf/data/Appfw/owa2key.pem
        RequestHeader set Front-End-Https "On"
        ProxyRequests Off
        ProxyPreserveHost On
        RewriteEngine On
        ......
        # enable Reverse re-writing
        ProxyPass / http://w2003sbs.domaion.be:80/
        ProxyPassReverse /azerty http://w2003sbs.domain.be:800/azerty
        .....  
</VirtualHost>



--
---------------------------------------------------
Able: 1996-2006: already 10 safe years in YOUR company!

aXs GUARD has completed security and anti-virus checks on this e-mail 
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux