[ale] Apache reverse-proxy closing my connection?

Lightner, Jeff JLightner at water.com
Mon May 16 10:16:54 EDT 2011


Not sure that applies but today I saw that RedHat had backported a patch
into the version of HTTP(S) they use which usually means it was
something affecting later upstream versionf of Apache.

The relevant Apache BZ is at:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50481

Figured I'd mention it as it apparently deals with a bug in reverse
proxy.

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
Derek Atkins
Sent: Monday, May 16, 2011 9:54 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Apache reverse-proxy closing my connection?

Hey,

Thanks for the attempt.  However I don't need Apache to know anything
about NTLM.  I just want Apache to let the client and backend server
talk without closing connections.  I finally did get this working this
morning with a few changes:

1) I needed to enable Keep-Alives in the base Apache configuration.
   Apparently the default configuration had KeepAlive Off.  I turned
   that to "On" and now the proxy doesn't close every connection.

2) I needed to *not* use the disablereuse=on ProxyPass attribute.  I
   thought this attribute would prevent apache from re-using the backend
   connection between multiple client connections, but apparently it
   will prevent apache from re-using the backend connection even with a
   SINGLE client connection (i.e., it was doing a TCP-Close() on the
   backend connection after every HTTP Response).

3) I had ProxyPassReverse wrong (but that had nothing to do with my
   proxy closing my connections).

So the good news is that I got it all working.  Now I get to continue my
progress on my plugin.

Thanks for the advice.  :)

-derek

JD <jdp at algoloma.com> writes:

> Since nobody has replied with an answer, here's a few leads. Sorry, I
> don't have any answer.
>
> Did the proxy work before you added the NTLM authentication?
> http://modntlm.sourceforge.net/ seems to imply that a patched module
is
> needed for this to work. It could out of date.
>
> This
>
http://www.brighthub.com/hubfolio/matthew-casperson/articles/76539.aspx
> is in 2010. It uses http://ntlmaps.sourceforge.net/ software.
>
> One of the suggestions due to broken Apache SSL code was "Commenting
out
> the following directives in the Apache configuration will allow
Internet
> Explorer to use keepalives an help insure that NTLM authentication
works
> as expected
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
>
> I've never used Apache as a reverse proxy, but 'pound' works perfectly
> and is trivial to configure, even for some complex needs. I've never
> tried to get it working with NTLM auth, however.  If I were doing it
all
> over again, I'd look at nginx http://nginx.org/, which brings a few
> extra capabilities.
>
>
> On 05/15/2011 08:48 AM, Derek Atkins wrote:
>> Hey,
>> 
>> I'm trying to setup Apache as a reverse proxy but it looks like
Apache
>> is improperly closing my connection.  From the wireshark output I see
>> the following transactions which clearly show that the connection
>> *should* be kept alive, but the proxy is adding a "Connection: close"
to
>> the final response:
>> 
>> CLIENT -> PROXY:
>> 
>> GET /Pages/Default.aspx HTTP/1.1
>> Host: 127.0.0.1
>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12)
Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>> Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Cookie: WSS_KeepSessionAuthenticated=80
>> Pragma: no-cache, no-cache
>> Cache-Control: no-cache, no-cache
>> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
>> 
>> PROXY -> BACKEND SERVER:
>> 
>> GET /Pages/Default.aspx HTTP/1.1
>> Host: 172.16.64.10
>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12)
Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>> Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Cookie: WSS_KeepSessionAuthenticated=80
>> Pragma: no-cache, no-cache
>> Cache-Control: no-cache, no-cache
>> Authorization: NTLM <auth data here>
>> X-Forwarded-For: 127.0.0.1
>> X-Forwarded-Host: 127.0.0.1
>> X-Forwarded-Server: pgpdev.ihtfp.org
>> Connection: Keep-Alive
>> 
>> BACKEND SERVER -> PROXY:
>> 
>> 
>> HTTP/1.1 401 Unauthorized
>> Content-Length: 1539
>> Content-Type: text/html
>> Server: Microsoft-IIS/6.0
>> WWW-Authenticate: NTLM <challenge data here>
>> X-Powered-By: ASP.NET
>> MicrosoftSharePointTeamServices: 12.0.0.6421
>> Date: Fri, 13 May 2011 20:14:24 GMT
>> 
>> <data>
>> 
>> But finally the PROXY -> CLIENT:
>> 
>> HTTP/1.1 401 Unauthorized
>> Date: Fri, 13 May 2011 20:14:24 GMT
>> Server: Microsoft-IIS/6.0
>> Content-Length: 1539
>> Content-Type: text/html; charset=UTF-8
>> WWW-Authenticate: NTLM <challenge data here>
>> X-Powered-By: ASP.NET
>> MicrosoftSharePointTeamServices: 12.0.0.6421
>> Connection: close
>> 
>> <data>
>> 
>> 
>> Note the "Connection: close" in the Proxy -> client response!
However
>> the response from the backend server to the proxy clearly is a
>> keep-alive, as it's an HTTP/1.1 and doesn't have a Connection header.
>> Is there something missing from my Apache configuration?  Is this a
bug
>> in Apache (I'm using version 2.2.15)?  Here's the relevant
configuration
>> (for my testing purposes, I've tried setting many different Proxy
>> options to try to get it working):
>> 
>> ProxyRequests off
>> ProxyPass / http://172.16.64.10/ timeout=300 disablereuse=on nocanon
keepalive=on
>> ProxyPassReverse http://172.16.64.10/ /
>> ProxyPassReverseCookieDomain 172.16.64.10 127.0.0.1
>> ProxyVia off
>> 
>> <Location />
>> ProxyPassReverse /
>> RequestHeader	 unset	Accept-Encoding
>> </Location>
>> 
>> Any suggestions?
>> 
>> Thanks!
>> 
>> -derek
>> 
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------



More information about the Ale mailing list