[ale] Apache reverse-proxy closing my connection?

Derek Atkins warlord at MIT.EDU
Tue May 17 09:48:10 EDT 2011 

Thanks.

I think a more appropriate issue is
https://issues.apache.org/bugzilla/show_bug.cgi?id=39673 which directly
mentions NTLM and mod_proxy...

-derek

"Lightner, Jeff" <JLightner at water.com> writes:

> Not sure that applies but today I saw that RedHat had backported a patch
> into the version of HTTP(S) they use which usually means it was
> something affecting later upstream versionf of Apache.
>
> The relevant Apache BZ is at:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=50481
>
> Figured I'd mention it as it apparently deals with a bug in reverse
> proxy.
>
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Derek Atkins
> Sent: Monday, May 16, 2011 9:54 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] Apache reverse-proxy closing my connection?
>
> Hey,
>
> Thanks for the attempt.  However I don't need Apache to know anything
> about NTLM.  I just want Apache to let the client and backend server
> talk without closing connections.  I finally did get this working this
> morning with a few changes:
>
> 1) I needed to enable Keep-Alives in the base Apache configuration.
>    Apparently the default configuration had KeepAlive Off.  I turned
>    that to "On" and now the proxy doesn't close every connection.
>
> 2) I needed to *not* use the disablereuse=on ProxyPass attribute.  I
>    thought this attribute would prevent apache from re-using the backend
>    connection between multiple client connections, but apparently it
>    will prevent apache from re-using the backend connection even with a
>    SINGLE client connection (i.e., it was doing a TCP-Close() on the
>    backend connection after every HTTP Response).
>
> 3) I had ProxyPassReverse wrong (but that had nothing to do with my
>    proxy closing my connections).
>
> So the good news is that I got it all working.  Now I get to continue my
> progress on my plugin.
>
> Thanks for the advice.  :)
>
> -derek
>
> JD <jdp at algoloma.com> writes:
>
>> Since nobody has replied with an answer, here's a few leads. Sorry, I
>> don't have any answer.
>>
>> Did the proxy work before you added the NTLM authentication?
>> http://modntlm.sourceforge.net/ seems to imply that a patched module
> is
>> needed for this to work. It could out of date.
>>
>> This
>>
> http://www.brighthub.com/hubfolio/matthew-casperson/articles/76539.aspx
>> is in 2010. It uses http://ntlmaps.sourceforge.net/ software.
>>
>> One of the suggestions due to broken Apache SSL code was "Commenting
> out
>> the following directives in the Apache configuration will allow
> Internet
>> Explorer to use keepalives an help insure that NTLM authentication
> works
>> as expected
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>>
>> I've never used Apache as a reverse proxy, but 'pound' works perfectly
>> and is trivial to configure, even for some complex needs. I've never
>> tried to get it working with NTLM auth, however.  If I were doing it
> all
>> over again, I'd look at nginx http://nginx.org/, which brings a few
>> extra capabilities.
>>
>>
>> On 05/15/2011 08:48 AM, Derek Atkins wrote:
>>> Hey,
>>> 
>>> I'm trying to setup Apache as a reverse proxy but it looks like
> Apache
>>> is improperly closing my connection.  From the wireshark output I see
>>> the following transactions which clearly show that the connection
>>> *should* be kept alive, but the proxy is adding a "Connection: close"
> to
>>> the final response:
>>> 
>>> CLIENT -> PROXY:
>>> 
>>> GET /Pages/Default.aspx HTTP/1.1
>>> Host: 127.0.0.1
>>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12)
> Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>>> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language: en-us,en;q=0.5
>>> Accept-Encoding: gzip,deflate
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Keep-Alive: 300
>>> Connection: keep-alive
>>> Cookie: WSS_KeepSessionAuthenticated=80
>>> Pragma: no-cache, no-cache
>>> Cache-Control: no-cache, no-cache
>>> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
>>> 
>>> PROXY -> BACKEND SERVER:
>>> 
>>> GET /Pages/Default.aspx HTTP/1.1
>>> Host: 172.16.64.10
>>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12)
> Gecko/20100907 Fedora/3.5.12-1.fc12 Firefox/3.5.12
>>> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language: en-us,en;q=0.5
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Cookie: WSS_KeepSessionAuthenticated=80
>>> Pragma: no-cache, no-cache
>>> Cache-Control: no-cache, no-cache
>>> Authorization: NTLM <auth data here>
>>> X-Forwarded-For: 127.0.0.1
>>> X-Forwarded-Host: 127.0.0.1
>>> X-Forwarded-Server: pgpdev.ihtfp.org
>>> Connection: Keep-Alive
>>> 
>>> BACKEND SERVER -> PROXY:
>>> 
>>> 
>>> HTTP/1.1 401 Unauthorized
>>> Content-Length: 1539
>>> Content-Type: text/html
>>> Server: Microsoft-IIS/6.0
>>> WWW-Authenticate: NTLM <challenge data here>
>>> X-Powered-By: ASP.NET
>>> MicrosoftSharePointTeamServices: 12.0.0.6421
>>> Date: Fri, 13 May 2011 20:14:24 GMT
>>> 
>>> <data>
>>> 
>>> But finally the PROXY -> CLIENT:
>>> 
>>> HTTP/1.1 401 Unauthorized
>>> Date: Fri, 13 May 2011 20:14:24 GMT
>>> Server: Microsoft-IIS/6.0
>>> Content-Length: 1539
>>> Content-Type: text/html; charset=UTF-8
>>> WWW-Authenticate: NTLM <challenge data here>
>>> X-Powered-By: ASP.NET
>>> MicrosoftSharePointTeamServices: 12.0.0.6421
>>> Connection: close
>>> 
>>> <data>
>>> 
>>> 
>>> Note the "Connection: close" in the Proxy -> client response!
> However
>>> the response from the backend server to the proxy clearly is a
>>> keep-alive, as it's an HTTP/1.1 and doesn't have a Connection header.
>>> Is there something missing from my Apache configuration?  Is this a
> bug
>>> in Apache (I'm using version 2.2.15)?  Here's the relevant
> configuration
>>> (for my testing purposes, I've tried setting many different Proxy
>>> options to try to get it working):
>>> 
>>> ProxyRequests off
>>> ProxyPass / http://172.16.64.10/ timeout=300 disablereuse=on nocanon
> keepalive=on
>>> ProxyPassReverse http://172.16.64.10/ /
>>> ProxyPassReverseCookieDomain 172.16.64.10 127.0.0.1
>>> ProxyVia off
>>> 
>>> <Location />
>>> ProxyPassReverse /
>>> RequestHeader	 unset	Accept-Encoding
>>> </Location>
>>> 
>>> Any suggestions?
>>> 
>>> Thanks!
>>> 
>>> -derek
>>> 
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the Ale mailing list