Re: RE: [IE] Re: Has anyone implemented Nginx as a reverse proxy with Microsoft Sharepoint?

[Payam Chychi]

On Fri, Jan 19, 2018 at 9:30 PM blason  wrote:

> Hi there,
>
> I guess it was not an issue with NTLM where I am successfully able to
> authenticate with sharepoint the front page loads successfully while
> sub-site pages does not load up and I am not able to figure out the issue.
>
> Will soon share the config and logs I would really appreciate if help can
> be
> offered to eliminate the issue.
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,278193,278202#msg-278202
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


> The best way to troubleshoot this is to do a packet capture using tcpdump
and see what happens when the request hits nginx server. You will see what
and how the packets are sent/received

Also, when the sub-sites don’t work, what do you see in the http header?
All these data are really important for troubleshooting

Feel free to send me an email pchychi . At . Gmail, happy to help
troubleshoot it.

Cheers
Payam
-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: RE: [IE] Re: Has anyone implemented Nginx as a reverse proxy with Microsoft Sharepoint?

[blason]

Hi there,

I guess it was not an issue with NTLM where I am successfully able to
authenticate with sharepoint the front page loads successfully while
sub-site pages does not load up and I am not able to figure out the issue.

Will soon share the config and logs I would really appreciate if help can be
offered to eliminate the issue.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,278193,278202#msg-278202

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

what is allowed within an evil "if", and multiple proxy failovers

[jonathan vanasco]

we have a shared macro/include used for letsencrypt verification, which proxies 
requests to the `./well-known` directory onto an upstream provider.

the macro uses an old flag/semaphore based technique to toggle if the route is 
enabled or not, so we can disable it when not needed. it works great.

location  /.well-known/acme-challenge  {
if (!-f /etc/nginx/_flags/letsencrypt-public) {
rewrite ^.*$ @ letsencrypt_public_503 last;
}
include /path/to/proxy_config;
}
location = @letsencrypt_public_503 {
internal;
return 503;
}

recently, letsencrypt dropped support for TLS authentication and now requires 
port80. this has created a problem, because we run multiple ACME clients and 
were able to segment the ones that hit our catchall/default servers based on 
the protocol.

while many of our configs can use the existing files, a few need to support 
both systems in a failover situation:

the current working version works around nginx config syntax to get around this…

location  /.well-known/acme-challenge  {
proxy_set_header  X-Real-IP  $remote_addr;
proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header  Host  $host;

set $acme_options ""; 
if (-f /etc/nginx/_flags/client_a) {
set $acme_options "client_a"; 
}
if (-f /etc/nginx/_flags/client_b) {
set $acme_options "${acme_options}.client_b";
}

if ($acme_options = "client_a") {
proxy_pass  http://127.0.0.1:81;
break;
}

if ($acme_options = "client_a.client_b") {
proxy_pass  http://127.0.0.1:81;
break;
}

if ($acme_options = ".client_b") {
proxy_pass  http://127.0.0.1:6501;
break;
}

rewrite ^.*$ @acme_503 last;
}

i have some problems with this approach that I’d like to avoid, and wonder if 
anyone has suggestions:
1. i’m lucky that proxy_set_header has shared info, it’s not allowed within an 
“if” block.
2. i repeat the proxy_pass info much here, and it also exists in some other 
macros which are shared often. there are many places to update.

there were other things I didn’t like, but I forgot.  does anyone have a better 
suggestion than my current implementation?  it works for now, but it’s not 
modular or clean.

 


___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: [IE] Re: Has anyone implemented Nginx as a reverse proxy with Microsoft Sharepoint?

[Payam Chychi]

On Fri, Jan 19, 2018 at 7:14 AM Jason Whittington <
jason.whitting...@equifax.com> wrote:

> I haven’t done it for sharepoint but I have done it for TFS.  If I had to
> guess you are probably being bitten by NTLM.
>
> NTLM authentication authenticates connections instead of requests, and
> this is somewhat contradicts HTTP protocol, which is expected to be
> stateless. As a result it doesn't generally work though proxies, including
> nginx.
>
> NGINX can support it though, you need to use the "ntlm" directive. Below
> is an [stripped down] example of how I have it set up in front of TFS.  I
> would think Sharepoint would be very similar.  This has worked very
> reliably for like a year.
>
> upstream MyNtlmService {
> zone backend;
> server 192.168.0.1:8080;
> server 192.168.0.2:8080;
> #See
> http://stackoverflow.com/questions/10395807/nginx-close-upstream-connection-after-request
> keepalive 64;
> #See
> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm
> ntlm;
> }
> server {
> listen 80;
>
> location / {
> proxy_read_timeout 60s;
> #
> http://stackoverflow.com/questions/21284935/nginx-reverse-proxy-with-windows-authentication-that-uses-ntlm
> proxy_http_version 1.1;
> proxy_set_header Connection "";
>
> proxy_pass http:// MyNtlmService /;
> }
> }
>
>
> Jason
>
>
> -Original Message-
> From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of blason
> Sent: Friday, January 19, 2018 12:18 AM
> To: nginx@nginx.org
> Subject: [IE] Re: Has anyone implemented Nginx as a reverse proxy with
> Microsoft Sharepoint?
>
> Wow man!! Thanks I am struggling with configuration as Subsites does not
> show anything it shows blank page i.e only for blank page while Front page
> gets open successfully.
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,278193,278195#msg-278195
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> This message contains proprietary information from Equifax which may be
> confidential. If you are not an intended recipient, please refrain from any
> disclosure, copying, distribution or use of this information and note that
> such actions are prohibited. If you have received this transmission in
> error, please notify by e-mail postmas...@equifax.com. Equifax® is a
> registered trademark of Equifax Inc. All rights reserved.
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



Yep, the problem is/will be ntlm. Try what Jason mentioned, and you can
drop me an email if you like off-list - pchychi . At . Gmail

> 

-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

RE: [IE] Re: Has anyone implemented Nginx as a reverse proxy with Microsoft Sharepoint?

[Jason Whittington]

I haven’t done it for sharepoint but I have done it for TFS.  If I had to guess 
you are probably being bitten by NTLM.

NTLM authentication authenticates connections instead of requests, and this is 
somewhat contradicts HTTP protocol, which is expected to be stateless. As a 
result it doesn't generally work though proxies, including nginx.

NGINX can support it though, you need to use the "ntlm" directive. Below is an 
[stripped down] example of how I have it set up in front of TFS.  I would think 
Sharepoint would be very similar.  This has worked very reliably for like a 
year.

upstream MyNtlmService {
zone backend;
server 192.168.0.1:8080;
server 192.168.0.2:8080;
#See 
http://stackoverflow.com/questions/10395807/nginx-close-upstream-connection-after-request
keepalive 64;
#See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm
ntlm;
}
server {
listen 80;

location / {
proxy_read_timeout 60s;

#http://stackoverflow.com/questions/21284935/nginx-reverse-proxy-with-windows-authentication-that-uses-ntlm
proxy_http_version 1.1;
proxy_set_header Connection "";

proxy_pass http:// MyNtlmService /;
}
}


Jason


-Original Message-
From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of blason
Sent: Friday, January 19, 2018 12:18 AM
To: nginx@nginx.org
Subject: [IE] Re: Has anyone implemented Nginx as a reverse proxy with 
Microsoft Sharepoint?

Wow man!! Thanks I am struggling with configuration as Subsites does not show 
anything it shows blank page i.e only for blank page while Front page gets open 
successfully.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,278193,278195#msg-278195

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be 
confidential. If you are not an intended recipient, please refrain from any 
disclosure, copying, distribution or use of this information and note that such 
actions are prohibited. If you have received this transmission in error, please 
notify by e-mail postmas...@equifax.com. Equifax® is a registered trademark of 
Equifax Inc. All rights reserved.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Fixed upstream->read timer when downstream->write not ready

[xiaolong hong]

# HG changeset patch
# User Xiaolong Hong 
# Date 1516354115 -28800
#  Fri Jan 19 17:28:35 2018 +0800
# Node ID f017b8c1a99433cc3321475968556aee50609145
# Parent  93abb5a855d6534f0356882f45be49f8c6a95a8b
Fixed upstream->read timer when downstream->write not ready.

diff -r 93abb5a855d6 -r f017b8c1a994 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c  Thu Jan 11 21:43:49 2018 +0300
+++ b/src/http/ngx_http_upstream.c  Fri Jan 19 17:28:35 2018 +0800
@@ -3625,7 +3625,9 @@ ngx_http_upstream_process_non_buffered_r
 return;
 }

-if (upstream->read->active && !upstream->read->ready) {
+if (upstream->read->active && !upstream->read->ready
+&& !(u->length == 0 || (upstream->read->eof && u->length == -1)))
+{
 ngx_add_timer(upstream->read, u->conf->read_timeout);

 } else if (upstream->read->timer_set) {



When downstream hung and nginx received the last buffer from upstream, both
downstream->write timer and upstream->read timer would be added in the
meantime because downstream->write->ready and upstream->read->ready would
opportunely be 0.

Actually if clcf->send_timeout less then u->conf->read_timeout,
upstream->read timer would be waked before downstream->write timer, it
caused mistakes to report the "upstream timed out" error deviating from the
fact that upstream worked normally but downstream hung.

This problem could be fixed to check upstream eof when trying to add
upstream->read timer.



We got debug logs as follows:

2018/01/19 17:16:44 [debug] 19674#0: *5 http write filter: l:0 f:1 s:510767
2018/01/19 17:16:44 [debug] 19674#0: *5 http write filter limit 0
2018/01/19 17:16:44 [debug] 19674#0: *5 http write filter 00010080E068
2018/01/19 17:16:44 [debug] 19674#0: *5 http copy filter: -2 "/t?"
2018/01/19 17:16:44 [debug] 19674#0: *5 event timer del: 7: 1516353481686
2018/01/19 17:16:44 [debug] 19674#0: *5 event timer add: 7:
77000:1516353481990   (add downstream->write timer)
2018/01/19 17:16:44 [debug] 19674#0: *5 event timer: 8, old: 1516353426958,
new: 1516353426990
2018/01/19 17:16:44 [debug] 19674#0: timer delta: 16
2018/01/19 17:16:44 [debug] 19674#0: worker cycle
2018/01/19 17:16:44 [debug] 19674#0: kevent timer: 21968, changes: 0 (add
upstream->read timer)
2018/01/19 17:16:45 [debug] 19674#0: kevent events: 1
2018/01/19 17:16:45 [debug] 19674#0: kevent: 8: ft:-1 fl:0025 ff:
d:3068 ud:00010180C6D0
2018/01/19 17:16:45 [debug] 19674#0: *5 http upstream request: "/t?"
2018/01/19 17:16:45 [debug] 19674#0: *5 http upstream process non buffered
upstream
2018/01/19 17:16:45 [debug] 19674#0: *5 recv: eof:0, avail:3068, err:0
2018/01/19 17:16:45 [debug] 19674#0: *5 recv: fd:8 3080 of 4734892
2018/01/19 17:16:45 [debug] 19674#0: *5 posix_memalign:
00010100AE00:4096 @16
2018/01/19 17:16:45 [debug] 19674#0: *5 http output filter "/t?"
2018/01/19 17:16:45 [debug] 19674#0: *5 http copy filter: "/t?"
2018/01/19 17:16:45 [debug] 19674#0: *5 http postpone filter "/t?"
00010100AE20
2018/01/19 17:16:45 [debug] 19674#0: *5 http chunk: 3080


2018/01/19 17:17:06 [debug] 19674#0: kevent events: 0
2018/01/19 17:17:06 [debug] 19674#0: timer delta: 21739
2018/01/19 17:17:06 [debug] 19674#0: *5 event timer del: 8: 1516353426958
2018/01/19 17:17:06 [debug] 19674#0: *5 http upstream request: "/t?"
2018/01/19 17:17:06 [debug] 19674#0: *5 http upstream process non buffered
upstream
2018/01/19 17:17:06 [error] 19674#0: *5 upstream timed out (60: Operation
timed out) while reading upstream, client: 127.0.0.1, server: localhost,
request: "GET /t HTTP/1.1", upstream: "http://127.0.0.1:9
090/t", host: "t.taobao.com"
2018/01/19 17:17:06 [debug] 19674#0: *5 finalize http upstream request: 504
2018/01/19 17:17:06 [debug] 19674#0: *5 finalize http proxy request
2018/01/19 17:17:06 [debug] 19674#0: *5 free rr peer 1 0
2018/01/19 17:17:06 [debug] 19674#0: *5 close http upstream connection: 8
2018/01/19 17:17:06 [debug] 19674#0: *5 free: 000100300220, unused: 48
2018/01/19 17:17:06 [debug] 19674#0: *5 reusable connection: 0
2018/01/19 17:17:06 [debug] 19674#0: *5 http output filter "/t?"
2018/01/19 17:17:06 [debug] 19674#0: *5 http copy filter: "/t?"
2018/01/19 17:17:06 [debug] 19674#0: *5 http postpone filter "/t?"
7FFEEFBFF1B0
2018/01/19 17:17:06 [debug] 19674#0: *5 http chunk: 0


2018/01/19 17:18:23 [debug] 19674#0: kevent events: 0
2018/01/19 17:18:23 [debug] 19674#0: timer delta: 77012
2018/01/19 17:18:23 [debug] 19674#0: *5 event timer del: 7: 1516353503980
2018/01/19 17:18:23 [debug] 19674#0: *5 http run request: "/t?"
2018/01/19 17:18:23 [debug] 19674#0: *5 http writer handler: "/t?"
2018/01/19 17:18:23 [info] 19674#0: *5 client timed out (60: Operation
timed out) while sending to client, client: 127.0.0.1, server: localhost,
request: "GET /t HTTP/1.1", upstream: "http://127.0.0.1:909
0/t", host: "t.taobao.com"
2018/01/19 17:18:23 [debug] 19674#0: *5 http finalize request: 408, "/t?"
a:1,