Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 83906 invoked from network); 30 May 2006 20:31:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 30 May 2006 20:31:10 -0000 Received: (qmail 43006 invoked by uid 500); 30 May 2006 20:31:06 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 42945 invoked by uid 500); 30 May 2006 20:31:05 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 42934 invoked by uid 99); 30 May 2006 20:31:05 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 May 2006 13:31:05 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 30 May 2006 13:31:05 -0700 Received: (qmail 83802 invoked by uid 2161); 30 May 2006 20:30:44 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 02FFF1721C for ; Tue, 30 May 2006 22:30:35 +0200 (CEST) Message-ID: <447CAB77.8070500@apache.org> Date: Tue, 30 May 2006 22:30:47 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060417 X-Accept-Language: de, en, de-de, en-gb, cy, zu, xh MIME-Version: 1.0 To: dev@httpd.apache.org Subject: PR 39673 revealed a problem with NTLM and mod_proxy X-Enigmail-Version: 0.90.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N PR 39673 revealed a problem with NTLM and mod_proxy_http. Actually NTLM does not work any longer with proxied backends doing NTLM authentication. As far as I understand NTLM the current 2.2.x proxy implementation does NOT support it, because there is no guarantee that the same backend connection is used for the next request on a keepalive frontend connection. Each request from a frontend connection leases a backend connection from a connection pool for the request and returns it back to the pool immediately after the request has been processed. When the next request on this keepalive frontend connection is processed it may lease a different backend connection from the pool. This raises two questions for me: 1. The current approach of leasing connections from the pool on request base means, that a keepalive frontend connection may use a different backend connection for each request and that a keepalive backend connection may be used by different frontend connections. Does this approach violate any RFC's we claim to implement / support? 2. If the answer to 1. is no, the question that remains is: Do we claim / want to support NTLM on proxied backends. As far as I understand there is no official spec for NTLM, correct? Regards R�diger