httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edoardo Tirtarahardja <>
Subject Re: [users@httpd] Setting KeepAlive on for forward proxy
Date Thu, 18 Aug 2011 16:09:13 GMT
On 2011-08-18 11:26,Jeroen Geilman wrote:
> On 2011-08-18 17:08, Edoardo Tirtarahardja wrote:
>> Hi,
>> I read from mod_proxy description in Apache 2.2 that the default worker
>> does not use the HTTP Keep-Alive.
>> Is there a way how to enable it for forward proxy configuration?
> You mean, from apache working as a forward proxy to the remote origin 
> server?
> Can you imagine how bad that would be ?

Well, this is a very isolated forward proxy within a very small test
network. The reason is when I'm hitting our intranet site, it returns HTTP
403 as it requires NTLM authentication. However the apache forward proxy
close the connection (TCP SYN) when delivering this HTTP 403 response to
the client, causing the client to immediately display the HTTP 403.

>From a computer that directly connected to our corp. LAN, I can see that
if the TCP connection is kept alive, then the browser will re-send the
request with NTLM authentication negotiation and then it works.

I"m new in apache server, but I have done quite some google search and it
seems apache does not have module to be NTLM proxy, i.e. perform NTLM
auth. on the client behalf. The module for NTLM if I understand it
correctly, is only to be used in reverse proxy or to authenticate the
windows client.

Then I put CNTLM proxy parent of apache proxy. While the authentication
works, but to load the page takes considerably longer then the direct
connection one (10 sec. as opposed ot 5 sec.) I can see that using direct
connection, during the loading of the whole page, there are ~4 NTLM
authentication negotiations. This is because the TCP connection are kept
alive between requests. While using apache proxy (cascaded to NTLM proxy),
I can see ~15 NTLM negotiations. This is because the apache proxy keeps
closing the TCP toward the parent proxy at each request.

>>   I tried
>> to set the 'keepalive' parameter in 'ProxyPass' directive it doesn't work.
>> I think ProxyPass is more for reverse proxy, rather than forward proxy.
> As documented, ProxyPass is ONLY for reverse (i.e. known-origin) proxies.

But also as documented, the worker ceated by 'ProxyPass' is *also* used by
forward proxy. Is documentation wrong then?

>> Setting it in 'Proxy' directive also doesn't work.
>> Even I can make it work, those 'ProxyPass'&  'Proxy' requires an absolute
>> URL, while I want to enable it for ALL request.
> Um. So use /.

Thanks for the suggestion. But first I have to be able to create the
worker that will keep the connection alive. I tried to create the worker
using both 'Proxy' & 'ProxyPass' directive to a specific site, and it
doesn't work.

So if you know how to create a worker for forward proxy (or if possible
change the default worker behaviour) so it performs HTTP Keep-Alive,
please let me know.

Thank you very much for your quick response.
Cheers //Edo

View raw message