[ale] Apache reverse-proxy closing my connection?

Derek Atkins warlord at MIT.EDU
Mon May 16 09:54:16 EDT 2011 

Hey,

Thanks for the attempt.  However I don't need Apache to know anything
about NTLM.  I just want Apache to let the client and backend server
talk without closing connections.  I finally did get this working this
morning with a few changes:

1) I needed to enable Keep-Alives in the base Apache configuration.
   Apparently the default configuration had KeepAlive Off.  I turned
   that to "On" and now the proxy doesn't close every connection.

2) I needed to *not* use the disablereuse=on ProxyPass attribute.  I
   thought this attribute would prevent apache from re-using the backend
   connection between multiple client connections, but apparently it
   will prevent apache from re-using the backend connection even with a
   SINGLE client connection (i.e., it was doing a TCP-Close() on the
   backend connection after every HTTP Response).

3) I had ProxyPassReverse wrong (but that had nothing to do with my
   proxy closing my connections).

So the good news is that I got it all working.  Now I get to continue my
progress on my plugin.

Thanks for the advice.  :)

-derek

JD <jdp at algoloma.com> writes:

> Since nobody has replied with an answer, here's a few leads. Sorry, I
> don't have any answer.
>
> Did the proxy work before you added the NTLM authentication?
> http://modntlm.sourceforge.net/ seems to imply that a patched module is
> needed for this to work. It could out of date.
>
> This
> http://www.brighthub.com/hubfolio/matthew-casperson/articles/76539.aspx
> is in 2010. It uses http://ntlmaps.sourceforge.net/ software.
>
> One of the suggestions due to broken Apache SSL code was "Commenting out
> the following directives in the Apache configuration will allow Internet
> Explorer to use keepalives an help insure that NTLM authentication works
> as expected
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
>
> I've never used Apache as a reverse proxy, but 'pound' works perfectly
> and is trivial to configure, even for some complex needs. I've never
> tried to get it working with NTLM auth, however.  If I were doing it all
> over again, I'd look at nginx http://nginx.org/, which brings a few
> extra capabilities.
>
>
> On 05/15/2011 08:48 AM, Derek Atkins wrote:
>> Hey,
>> 
>> I'm trying to setup Apache as a reverse proxy but it looks like Apache
>> is improperly closing my connection.  From the wireshark output I see
>> the following transactions which clearly show that the connection
>> *should* be kept alive, but the proxy is adding a "Connection: close" to
>> the final response:
>> 
>> CLIENT -> PROXY:
>> 
>> GET /Pages/Default.aspx HTTP/1.1
>> Host: 127.0.0.1
>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Cookie: WSS_KeepSessionAuthenticated=80
>> Pragma: no-cache, no-cache
>> Cache-Control: no-cache, no-cache
>> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
>> 
>> PROXY -> BACKEND SERVER:
>> 
>> GET /Pages/Default.aspx HTTP/1.1
>> Host: 172.16.64.10
>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Cookie: WSS_KeepSessionAuthenticated=80
>> Pragma: no-cache, no-cache
>> Cache-Control: no-cache, no-cache
>> Authorization: NTLM <auth data here>
>> X-Forwarded-For: 127.0.0.1
>> X-Forwarded-Host: 127.0.0.1
>> X-Forwarded-Server: pgpdev.ihtfp.org
>> Connection: Keep-Alive
>> 
>> BACKEND SERVER -> PROXY:
>> 
>> 
>> HTTP/1.1 401 Unauthorized
>> Content-Length: 1539
>> Content-Type: text/html
>> Server: Microsoft-IIS/6.0
>> WWW-Authenticate: NTLM <challenge data here>
>> X-Powered-By: ASP.NET
>> MicrosoftSharePointTeamServices: 12.0.0.6421
>> Date: Fri, 13 May 2011 20:14:24 GMT
>> 
>> <data>
>> 
>> But finally the PROXY -> CLIENT:
>> 
>> HTTP/1.1 401 Unauthorized
>> Date: Fri, 13 May 2011 20:14:24 GMT
>> Server: Microsoft-IIS/6.0
>> Content-Length: 1539
>> Content-Type: text/html; charset=UTF-8
>> WWW-Authenticate: NTLM <challenge data here>
>> X-Powered-By: ASP.NET
>> MicrosoftSharePointTeamServices: 12.0.0.6421
>> Connection: close
>> 
>> <data>
>> 
>> 
>> Note the "Connection: close" in the Proxy -> client response!  However
>> the response from the backend server to the proxy clearly is a
>> keep-alive, as it's an HTTP/1.1 and doesn't have a Connection header.
>> Is there something missing from my Apache configuration?  Is this a bug
>> in Apache (I'm using version 2.2.15)?  Here's the relevant configuration
>> (for my testing purposes, I've tried setting many different Proxy
>> options to try to get it working):
>> 
>> ProxyRequests off
>> ProxyPass / http://172.16.64.10/ timeout=300 disablereuse=on nocanon keepalive=on
>> ProxyPassReverse http://172.16.64.10/ /
>> ProxyPassReverseCookieDomain 172.16.64.10 127.0.0.1
>> ProxyVia off
>> 
>> <Location />
>> ProxyPassReverse /
>> RequestHeader	 unset	Accept-Encoding
>> </Location>
>> 
>> Any suggestions?
>> 
>> Thanks!
>> 
>> -derek
>> 
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the Ale mailing list