mod_proxy and "Proxy-Connection: keep-alive" under HTTP/1.0

Thu, 03 Aug 2006 07:40:09 -0700 

Hi,
I'm use "mod_auth_ntlm_winbind" module, which provides support for NTLM and Negotiate authentications throw the Samba's "ntlm_auth" utility. (The same way Squid does NTLM now). 


All works fine -- both for normal and proxy auth, except one little 
issue with the proxy auth.



The NTLM/Negotiate auth requires some "handshaking" -- i.e., several 
repeates of the initial http command with various auth data exchange. 
All such commands must be at the same tcp session, as it is not 
stateless (unlike the Basic auth).



When a browser uses HTTP/1.1 for proxy, it provides "the same tcp 
session", and all is OK. (Mozilla/Firefox use HTTP/1.1 as default, IE 
can be switched to use 1.1 too.)



Unfortunately Internet Explorer since the version 6 uses "HTTP/1.0" for 
secure web connections (https). I.e,, instead of "CONNECT some_host:443 
HTTP/1.1" it uses:

"CONNECT some_host:443 HTTP/1.0" .

As there is no accompanied "Connection: keep-alive" header, Apache 
interpretes such as nokeepalive, and close tcp session after the first 
CONNECT immediately. Therefore the auth handshaking is break...
As a result, people under IE cannot use proxy to connect to any "https" 
site.



I've found that most browsers (Mozilla, IE) send also "Proxy-Connection: 
keep-alive" header. IE6 sends it too when uses "CONNECTION ... 
HTTP/1.0". This header is similar to ordinary "Connection: keep-alive" 
header, which alters the behaviour of (normally connection-close) HTTP/1.0 .



It seems to me that it is Apache issue. Apache ignores 
"Proxy-Connection" now at all, but IMHO should handle it properly. (Some 
needed code seems to be added to 
modules/http/http_protocol.c:ap_set_keepalive() function).



Note, that any "negotiate-like auth" module are affected now (perhaps 
"mod_auth_krb5" too), not mod_auth_ntlm_winbind only.



The code for mod_auth_ntlm_auth can be found there:

ftp://ftp.samba.org/pub/unpacked/lorikeet/mod_ntlm_winbind  or 
svn://svnanon.samba.org/lorikeet/trunk/mod_ntlm_winbind

There is pending/reviewed package to be included into Fedora Extras:
http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060510-2.src.rpm


IMHO mod_auth_ntlm_winbind module allows to use Apache in environments 
where the Windows authentication (NT or AD w2k) are strongly required. 
Such a way instead of switching to IIS, some users might continue to use 
Apache...


I hope it is some kind of an "easy fix" issue.

Any comments?


Regards,
Dmitry Butskoy,
      Fedora Extras/Livna contributor,
      Red Hat Certified Engineer 809003662809495

























					Reply via email to