Score:1

Apache reverse proxy to site using NTLM authentication fails with mod_rewrite but not mod_proxy

ke flag

We have a reverse proxy server in front of an Exchange server and would like to lock down more of the paths. Minimized examples:

Fails (but works for all pages that don't require authentication):

<VirtualHost 192.168.1.81:443>
    ServerName autodiscover.example.com
    SSLEngine On
    SSLProxyEngine On
    Include conf/sslcert.conf
    RewriteEngine On

    RewriteRule (.*) https://exchangecluster.example.com$1 [P,L]
    ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>

Works:

<VirtualHost 192.168.1.81:443>
    ServerName autodiscover.example.com
    SSLEngine On
    SSLProxyEngine On
    Include conf/sslcert.conf
    RewriteEngine On

    ProxyPass / https://exchangecluster.example.com/
    ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>

The request makes it through when using the rewrite rule and responds with a 401 and provides options for WWW-Authenticate as expected. With ProxyPass, the user's authentication works, while with RewriteRUle, the user is continuously prompted for authentication, which I assume is related to NTLM.

There are several questions in StackExchange that say that mod_proxy can't handle the NTLM pass-through authentication, but it's working in this case.

The mod-rewrite issue can be worked around by handling paths that don't require authentication, then denying paths that should be blocked, and then doing a global ProxyPass.

Workaround:

<VirtualHost 192.168.1.81:443>
    ServerName autodiscover.example.com
    SSLEngine On
    SSLProxyEngine On
    Include conf/sslcert.conf
    RewriteEngine On

    # Block all requests except the autodiscover URLs
    RewriteCond "%{REQUEST_URI}" "!^/autodiscover/autodiscover\.(?:xml|json|svc)$" [NC]
    RewriteRule ^ - [F]

    ProxyPass / https://exchangecluster.example.com/
    ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>

A comment on another question suggested using mpm_prefork_module instead of mpm_worker_module. I checked our 00_mpm.conf and we're using worker and it's working with proxypass, so it feels like we're missing something for the mod_rewrite proxy option.

Most questions I've found are about having the reverse proxy authenticate via NTLM. This questions is about passing the authentication to the server and keeping the session intact, not authenticating from Apache (assuming that's not required to make this work).

Are there any settings that need to be enabled to permit the proxying while using mod_rewrite?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.