On 2005.02.08, John Sequeira <[EMAIL PROTECTED]> wrote: > >When you say "integrated security" are you talking about the NTLM auth > >scheme for HTTP? As long as mod_proxy properly handles HTTP Keep-Alive, > >and recent Apache mod_proxy does, NTLM auth should work just fine. > > > .... > We're talking about different things. In Unix, you can use > Apache/mod_proxy + AOLServer to combine url spaces and use AOLServer > much like an app server. Agreed
Actually, we're talking about the exact same thing. > In Windows, you can use an Apache reverse proxy to combine AOLServer > and IIS URL spaces, but only IIS will be able to do the NTLM > handshaking required to get a network ID. AOLServer would sit behind > Apache and get the proxied Apache request without any single sign-on > info at all. Are you sure about this? Do you have network sniffs showing what's actually happening between the browser and the server(s)? If Apache's mod_proxy is smart and its Keep-Alive is smart, then fronting IIS and AOLserver with Apache+mod_proxy should "just work" with respect to NTLM auth. As long as the server keeps the TCP connection alive to the client, the browser doesn't know what server is processing its request on the back-end, so it has to keep sending the Authorization: HTTP request header regardless. mod_proxy should be just passing this header along as-is to whatever back-end server is responsible for handling the request, regardless of whether it's IIS or AOLserver. It'd be kinda fun to implement an nsntlm module for AOLserver so you could use NTLM auth in AOLserver on Win32. NTLM auth is really nothing more than the server responding 401 Unauthorized w/ appropriate WWW-Authenticate headers, followed by 403 Access Denied w/ WWW-Authenticate headers, examining the Authorized header that comes back from the browser. However, the only browser that speaks NTLM is MSIE, right? Not sure how much value there would be in implementing this module and/or who would actually ever use it for anything real ... > >I'd be happy to work on an initial proof-of-concept implementation if > >you think there's a real application for it. > > YES! Please -- it would be insanely great to have a starting point. Lets be clear: you want to see a module for AOLserver that lets you run AOLserver as a FastCGI app. under a different webserver? Is this a "just to see if it's possible" or "I would use this in my production environment as soon as I could" kind of ask? > >I'm still not convinced that anyone would seriously run AOLserver as > >a FastCGI app. fronted with another webserver. Or, to rephrase: > >anyone who's willing to do so with the necessary performance impact > >that it will entail ought to look at a simpler solution like > >mod_proxy or some other reverse proxy software. > > Do you have a sense for how much slower this would be? Are we talking > about a fractional performance hit or order of magnitude? I am guessing fractional. mod_proxy isn't remarkably slow, even when used with mod_rewrite -- I used to use caching mod_proxy+mod_rewrite before I switched to Squid for my personal uses. It wasn't much slower than Apache is in general, at least. > (I am not convinced sane people would choose e.g. Cold Fusion, but that > didn't seem to effect its popularity) Exactly. For small enough sites (e.g., the kind of ones who'd try to implement some cock-eyed architecture like what we're discussing), is the traffic going to even approach the level where scalability is going to be a real issue? The app.'s poor design will likely to be the bottleneck before the thin proxy layer ... > FastCGI has the benefit to being as old a technology as AOLServer > (older?). It's very likely someone has done what you want to do, and > has uncovered the hiccups. I'll ask. I remember the nightmares of making FastCGI work in a multi-threaded webserver (Netscape Enterprise Server) many years ago. I think FastCGI was meant to accelerate the multi-process app. area -- folks who had multi-threaded stuff already had a faster CGI-like app. development environment than FastCGI. :-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
