Hello!
On Fri, Nov 18, 2022 at 10:30:29PM -0500, Michael B Allen wrote:
> NTLM over HTTP is a 3 request "handshake" that must occur over the same TCP
> connection.
> My HTTP service implements the NTLMSSP acceptor and uses the clients remote
> address and port like "10.11.12.13:54433" to track the authentication state
> of each TCP connection.
>
> My implementation also uses a header called 'Jespa-Connection-Id' that
> allows the remote address and port to be supplied externally.
> NGINX can use this to act as a proxy for NTLM over HTTP with a config like
> the following:
>
> server {
> location / {
> proxy_pass http://localhost:8080;
> proxy_set_header Jespa-Connection-Id
> $remote_addr:$remote_port;
> }
> }
I'm pretty sure you're aware of this, but just for the record.
Note that NTML authentication is not HTTP-compatible, but rather
requires very specific client behaviour. Further, NTLM
authentication can easily introduce security issues as long as any
proxy servers are used between the client and the origin server,
since it authenticates a connection rather than particular
requests, and connections are not guaranteed to contain only
requests from a particular client. Unless you have very specific
reasons to support it, a better idea might be to use different
authentication mechanisms.
[...]
> This also seems to work fine but I have doubts.
> Can NGINX use the same TCP connection to a backend server to send requests
> of different client connections?
>
> From what I can tell, NGINX seems to create a separate TCP connection for
> each request.
> If this is always true, then it seems this scheme should work.
> Can you please confirm that this is how NGINX works?
>
> More generally, do you see any problems with this scheme?
As of now, nginx by default does not use keepalive connections to
the upstream servers. These are, however, can be configured by
using the "keepalive" directive (http://nginx.org/r/keepalive),
and obviously enough this will break the suggested scheme as there
will be requests from other clients on the same connection.
A better approach might be to check the client address on each
request - this should remove the dependency on whether nginx uses
a new connection for each request or not.
Another issue I can see here is that in a configuration where
Jespa-Connection-Id is not removed by nginx it might be provided
by the client, claiming arbitrary address and port. This might be
a security risk.
Also note that if a proxy server is used in front of nginx with
such a configuration, and this proxy server uses keepalive
connections, requests from different clients coming from the proxy
server will share the same address and port. This might be a
security risk unless authentication token is checked on each
request. This risk is, however, common to all uses of NTLM
authentication, and not really specific to the particular
configuration.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
