On 31.12.2013 00:50, Lukas Tribus wrote:
Hi,
Subject: http-keep-alive broken?
Hi,
I'm using haproxy ss-20131229 to reverse proxy some windows iis server
with ntlm-auth enabled (one of them being exchange 2012).
While I understood that using 'option http-keep-alive' would make
ntlm-auth work, it doesn't work for me. Are there still some issue
with
http-keep-alive and ntlm-auth?
Honestly I would just use the default tunnel mode for this, so I don't
have to think about the NTLM crap when choosing
keep-alive/load-balancing
parameters.
If you would like to combine NTLM-auth plus keep-alive, I'd propose
enabling:
option prefer-last-server
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-option%20prefer-last-server
Wile I do agree that using tcp-mode would make stuff easier, I also need
to do some redirecting on the host-header. Which is AFAIK not possible
while in tcp-mode. (I might be wrong)
I tried moving 'option http-keep-alive' to the frontend section but that
didn't help. I also used 'option prefer-last-server' but that didn't
help as well and I think it wouldn't make any difference since it only
redirects to one server.
The docs say that http-keep-alive should be useful if (quote):
- when the server is non-HTTP compliant and authenticates the
connection
instead of requests (eg: NTLM authentication)
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20http-keep-alive
But as far as I have tested it only breaks NTML auth badly. So, either
I'm doing something wrong, or haproxy is doing something wrong, or the
docs are wrong about the NTLM part :-)
Greets,
Sander
