[ale] Apache reverse-proxy closing my connection?

Sun May 15 18:24:21 EDT 2011

Since nobody has replied with an answer, here's a few leads. Sorry, I
don't have any answer.

Did the proxy work before you added the NTLM authentication?
http://modntlm.sourceforge.net/ seems to imply that a patched module is
needed for this to work. It could out of date.

This
http://www.brighthub.com/hubfolio/matthew-casperson/articles/76539.aspx
is in 2010. It uses http://ntlmaps.sourceforge.net/ software.

One of the suggestions due to broken Apache SSL code was "Commenting out
the following directives in the Apache configuration will allow Internet
Explorer to use keepalives an help insure that NTLM authentication works
as expected

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

I've never used Apache as a reverse proxy, but 'pound' works perfectly
and is trivial to configure, even for some complex needs. I've never
tried to get it working with NTLM auth, however.  If I were doing it all
over again, I'd look at nginx http://nginx.org/, which brings a few
extra capabilities.

On 05/15/2011 08:48 AM, Derek Atkins wrote:
> Hey,
> 
> I'm trying to setup Apache as a reverse proxy but it looks like Apache
> is improperly closing my connection.  From the wireshark output I see
> the following transactions which clearly show that the connection
> *should* be kept alive, but the proxy is adding a "Connection: close" to
> the final response:
> 
> CLIENT -> PROXY:
> 
> GET /Pages/Default.aspx HTTP/1.1
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Cookie: WSS_KeepSessionAuthenticated=80
> Pragma: no-cache, no-cache
> Cache-Control: no-cache, no-cache
> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
> 
> PROXY -> BACKEND SERVER:
> 
> GET /Pages/Default.aspx HTTP/1.1
> Host: 172.16.64.10
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Cookie: WSS_KeepSessionAuthenticated=80
> Pragma: no-cache, no-cache
> Cache-Control: no-cache, no-cache
> Authorization: NTLM <auth data here>
> X-Forwarded-For: 127.0.0.1
> X-Forwarded-Host: 127.0.0.1
> X-Forwarded-Server: pgpdev.ihtfp.org
> Connection: Keep-Alive
> 
> BACKEND SERVER -> PROXY:
> 
> 
> HTTP/1.1 401 Unauthorized
> Content-Length: 1539
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM <challenge data here>
> X-Powered-By: ASP.NET
> MicrosoftSharePointTeamServices: 12.0.0.6421
> Date: Fri, 13 May 2011 20:14:24 GMT
> 
> <data>
> 
> But finally the PROXY -> CLIENT:
> 
> HTTP/1.1 401 Unauthorized
> Date: Fri, 13 May 2011 20:14:24 GMT
> Server: Microsoft-IIS/6.0
> Content-Length: 1539
> Content-Type: text/html; charset=UTF-8
> WWW-Authenticate: NTLM <challenge data here>
> X-Powered-By: ASP.NET
> MicrosoftSharePointTeamServices: 12.0.0.6421
> Connection: close
> 
> <data>
> 
> 
> Note the "Connection: close" in the Proxy -> client response!  However
> the response from the backend server to the proxy clearly is a
> keep-alive, as it's an HTTP/1.1 and doesn't have a Connection header.
> Is there something missing from my Apache configuration?  Is this a bug
> in Apache (I'm using version 2.2.15)?  Here's the relevant configuration
> (for my testing purposes, I've tried setting many different Proxy
> options to try to get it working):
> 
> ProxyRequests off
> ProxyPass / http://172.16.64.10/ timeout=300 disablereuse=on nocanon keepalive=on
> ProxyPassReverse http://172.16.64.10/ /
> ProxyPassReverseCookieDomain 172.16.64.10 127.0.0.1
> ProxyVia off
> 
> <Location />
> ProxyPassReverse /
> RequestHeader	 unset	Accept-Encoding
> </Location>
> 
> Any suggestions?
> 
> Thanks!
> 
> -derek
> 