Apache Reverse Proxy and NTLM Authentication Help!

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache Reverse Proxy and NTLM Authentication Help!

Deanna Stevenson
Hello,

I am using apache 2.4.8 on a ubuntu 16.04 LTS. I am using apache as a reverse proxy.  I have a website that is using NTLM authentication.

The traffic seems to be proxied right as I get the authentication popup window, but the window keeps popping up even after supplying correct credentials.

After researching it turned out to be related with maintaining persistent connections. So, I added "KeepAlive On" to the virtual hosts config file, but this doesn't seem to have helped.

I see many posts talking about these issues, but nothing recent. Could anybody please help/advise?

Appreciate your help!

Deanna


Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Nick Kew-3
On Thu, 2017-11-09 at 10:24 -0700, Deanna Stevenson wrote:


> The traffic seems to be proxied right as I get the authentication
> popup window, but the window keeps popping up even after supplying
> correct credentials.

That's the backend that's authenticating, right?  What does its
log say?  Do you need proxy-chain-auth?

> After researching it turned out to be related with maintaining
> persistent connections. So, I added "KeepAlive On" to the virtual
> hosts config file, but this doesn't seem to have helped.

That doesn't look right.  Tying authentication to a connection
would be a complete violation of HTTP, and prevent it working
in pretty-much any situation with a general-purpose browser.

--
Nick Kew



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Deanna Stevenson
Yes, its the backend server that is doing the authentication. I see 401 errors - Unauthorized: Access is denied due to invalid credentials

Here are reference posts with similar problems, to give you some understanding of my problem. The last one has lot of details, and explains "
Tying authentication to a connection" I think.

https://sourceforge.net/p/mod-security/mailman/message/10663229/
https://serverfault.com/questions/167046/apache-reverse-proxy-server-and-ssl-ntlm-sharepoint
https://lists.gt.net/apache/users/451692

On Thu, Nov 9, 2017 at 11:04 AM, Nick Kew <[hidden email]> wrote:
On Thu, 2017-11-09 at 10:24 -0700, Deanna Stevenson wrote:


> The traffic seems to be proxied right as I get the authentication
> popup window, but the window keeps popping up even after supplying
> correct credentials.

That's the backend that's authenticating, right?  What does its
log say?  Do you need proxy-chain-auth?

> After researching it turned out to be related with maintaining
> persistent connections. So, I added "KeepAlive On" to the virtual
> hosts config file, but this doesn't seem to have helped.

That doesn't look right.  Tying authentication to a connection
would be a complete violation of HTTP, and prevent it working
in pretty-much any situation with a general-purpose browser.

--
Nick Kew



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Yann Ylavic
In reply to this post by Deanna Stevenson
Hi Deanna,

On Thu, Nov 9, 2017 at 6:24 PM, Deanna Stevenson <[hidden email]> wrote:
>
> After researching it turned out to be related with maintaining persistent
> connections.

For NTLM to work through a reverse proxy, client connections need to
be associated with backend ones (1:1), that is the proxy must (re)use
the same backend connection for the requests arriving on the same
client connection (NTLM authenticates connections, not requests...).

> So, I added "KeepAlive On" to the virtual hosts config file,
> but this doesn't seem to have helped.
>
> I see many posts talking about these issues, but nothing recent. Could
> anybody please help/advise?

The only way (I'm aware of) to let NTLM pass through Apache httpd is
to use MPM prefork, to indeed set "KeepAlive on" (globally), and
finally to add "SetEnv proxy-initial-not-pooled" in the reverse proxy
VirtualHost (if any, otherwise globally).

There were patches proposed to make it work with other MPMs, but they
are not up to date (while the above should work with vanilla httpd).


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Deanna Stevenson
Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM module I have right now is "event", which seems to be default for modern OSs. It seems like in 2.4 I can load different MPM modules at run time, and don't have to recompile apache. Do you agree? If yes, can I switch back and forth between prefork and event easily, or do I need to plan for anything (other than MPM prefork using more resources, is it going to corrupt any other dependencies?), as this is in production, and am using this in conjunction with mod security.

Deanna

On Thu, Nov 9, 2017 at 3:07 PM, Yann Ylavic <[hidden email]> wrote:
Hi Deanna,

On Thu, Nov 9, 2017 at 6:24 PM, Deanna Stevenson <[hidden email]> wrote:
>
> After researching it turned out to be related with maintaining persistent
> connections.

For NTLM to work through a reverse proxy, client connections need to
be associated with backend ones (1:1), that is the proxy must (re)use
the same backend connection for the requests arriving on the same
client connection (NTLM authenticates connections, not requests...).

> So, I added "KeepAlive On" to the virtual hosts config file,
> but this doesn't seem to have helped.
>
> I see many posts talking about these issues, but nothing recent. Could
> anybody please help/advise?

The only way (I'm aware of) to let NTLM pass through Apache httpd is
to use MPM prefork, to indeed set "KeepAlive on" (globally), and
finally to add "SetEnv proxy-initial-not-pooled" in the reverse proxy
VirtualHost (if any, otherwise globally).

There were patches proposed to make it work with other MPMs, but they
are not up to date (while the above should work with vanilla httpd).


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Yann Ylavic
Deanna,

On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <[hidden email]> wrote:
> Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM
> module I have right now is "event", which seems to be default for modern
> OSs. It seems like in 2.4 I can load different MPM modules at run time, and
> don't have to recompile apache. Do you agree?

Yes, no need to recompile, the loaded MPM is per configuration.
Thus there must be two different Apache httpd instances to run
different MPMs at the same time.

> If yes, can I switch back and
> forth between prefork and event easily,

If you want a single instance, that's the one or the other for *all*
your virtual hosts, but yes you can switch between them with a restart
(probably not a graceful one).

> or do I need to plan for anything

Personnaly I'd run two separate instances, without touching the existing one.
That implies a separate listening IP addresses (or a different port)
for the new instance, though.
The prefork instance would be isolated, with its own configuration
file probably standalone and simpler than the whole "/etc/apache2/"
tree for the system's instance (something like a single
"/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
own "LoadModule mpm_prefork_module
/usr/lib/apache2/modules/mod_mpm_prefork.so").
Yet the same apache2 binary (and common modules' binaries) would be
used to run the two instances, that way they will be as usually with
the system.
The prefork instance would just have to be started sperately (by the
system) with a reference to its own configuration file, the way to do
this depends on your or ubuntu's policy though, either systemd or a
init.d starter, your choice..

> (other than MPM prefork using more resources, is it going to corrupt any
> other dependencies?), as this is in production, and am using this in
> conjunction with mod security.

MPM prefork won't run mod_http2 for example, I think mod_security is
fine with prefork (not sure).
This is something very specific to your architecture and applications,
that's why I wouldn't change something working already and just create
a new prefork configuration from scratch (or inspired from the
existing event one) and run it separately.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache Reverse Proxy and NTLM Authentication Help!

Deanna Stevenson
Thanks a lot Yann for your input. Currently we are looking into alternative authentication methods.

I am running this alongside modsecurity, and I wanted to post Osama Elnaggar's suggestion here, who was great enough to read my posts both here and modsecurity list to provide a suggestion. Might help others with similar problem.
.................
Deanna,

It's pretty clear from your emails here + on the Apache HTTP user's list that you are trying to get mod_security + Apache reverse proxy up and running to protect some internal web site (probably Sharepoint) that uses NTLM/Integrated Windows Authentication.  Given that, here is what I would suggest:

Try using the prefork configuration as Yann suggested on the Apache HTTP user's mailing list in response to your NTLM question as it looks like your setup won't work with event or worker MPMs.  Also, as this will only serve internal users, the # of concurrent processes you'll have to run using prefork won't be an issue if you are running this in reverse proxy mode (I'm guessing that 500 concurrent processes will probably more than adequately handle your requirements unless you have a ton of internal users concurrently accessing the internal portal)

You can then stress test it / load test it using JMeter (which has support for NTLM / Integrated Windows Authentication) with the expected # of concurrent users you will have to see if it meets your requirements or if you need to add memory, etc. to your reverse proxy.  You may need to use more than one machine running JMeter to get to the desired # of simulated concurrent requests.

As for prefork vs. event or worker, both event and worker are better due to faster context switching and smaller memory structures but I don't think it's an option in your use case due to the NTLM requirement and you shouldn't really have a problem as mentioned above.  Also, as you will be running a reverse proxy, you'll be running with minimal modules on your reverse proxy anyway (make sure you don't have any non-necessary modules), so the additional hit hopefully isn't too great (and you can minimize it by keeping your KeepAlive timeout short).

Finally, to improve performance, make sure that the origin servers (Sharepoint) are sending cache-control headers with long validity periods for static content which isn’t expected to change.  You can additional add a caching tier for static content at the Apache level as well to improve performance if needed (mod_cache, mod_file_cache, etc.).  Both of these will help you handle even more concurrent users.
..................

On Fri, Nov 10, 2017 at 5:42 AM, Yann Ylavic <[hidden email]> wrote:
Deanna,

On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <[hidden email]> wrote:
> Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the MPM
> module I have right now is "event", which seems to be default for modern
> OSs. It seems like in 2.4 I can load different MPM modules at run time, and
> don't have to recompile apache. Do you agree?

Yes, no need to recompile, the loaded MPM is per configuration.
Thus there must be two different Apache httpd instances to run
different MPMs at the same time.

> If yes, can I switch back and
> forth between prefork and event easily,

If you want a single instance, that's the one or the other for *all*
your virtual hosts, but yes you can switch between them with a restart
(probably not a graceful one).

> or do I need to plan for anything

Personnaly I'd run two separate instances, without touching the existing one.
That implies a separate listening IP addresses (or a different port)
for the new instance, though.
The prefork instance would be isolated, with its own configuration
file probably standalone and simpler than the whole "/etc/apache2/"
tree for the system's instance (something like a single
"/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
own "LoadModule mpm_prefork_module
/usr/lib/apache2/modules/mod_mpm_prefork.so").
Yet the same apache2 binary (and common modules' binaries) would be
used to run the two instances, that way they will be as usually with
the system.
The prefork instance would just have to be started sperately (by the
system) with a reference to its own configuration file, the way to do
this depends on your or ubuntu's policy though, either systemd or a
init.d starter, your choice..

> (other than MPM prefork using more resources, is it going to corrupt any
> other dependencies?), as this is in production, and am using this in
> conjunction with mod security.

MPM prefork won't run mod_http2 for example, I think mod_security is
fine with prefork (not sure).
This is something very specific to your architecture and applications,
that's why I wouldn't change something working already and just create
a new prefork configuration from scratch (or inspired from the
existing event one) and run it separately.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]