I would suggest you want to attach this patch to the bugzilla ticket. NTLM does not honor HTTP/1.0 or 1.1 so it is highly unlikely to be accepted into the Apache distribution, but as you point out, this does not mean that there aren't others who would appreciate your patch. On Feb 26, 2013 9:56 AM, "Micha Lenk" <[email protected]> wrote:
> Hi all, > > I am currently working on bugzilla #39673. The issue here is that NTLM > authentication as used in Microsoft products don't work. The reason is that > the brilliant engineers at Microsoft who invented this authentication > scheme assumed that subsequent client requests sent over a single > connection towards the server (i.e. using keep alive) also reach the server > on a single connection. But as Rüdiger Plüm noted some years ago in > bugzilla #39673: > > "the current 2.2.x proxy implementation does NOT support > NTLM, because there is no guarantee that the same backend > connection is used for the next request on a keepalive > frontend connection. Each request from a frontend connection > leases a backend connection from a connection pool for the > request and returns it back to the pool immediately after > the request has been processed. If the next request on > this keepalive frontend connection is processed it may > lease a different backend connection from the pool. As far > as I understand NTLM this approach is not compatible with > NTLM." > > Looking at how mod_proxy_ftp.c solves a similar problem, I tried to solve > that issue with the attached patch (also attached to bugzilla). If a NTLM > request is detected, the cleanup of the currently leased backend connection > is skipped. Instead the backend connection is registered with the client > connection pool, so that it is closed and cleaned up as soon as the client > disconnects. Additionally the backend connection is registered as a config > record in the client connection, so that it can get re-used for subsequent > requests on the same client connection. > > I would like to solicit some feedback about the approach. What would I > need to change for the patch being accepted in trunk? > > Regards, > Micha >
