BUG/MINOR: only mark connections private if NTLM is detected
Instead of marking all connections that see a 401/407 response private
(for connection reuse), this patch detects a RFC4559/NTLM authentication
scheme and restricts the private setting to those connections.
This is so we can reuse connections with 401/407 responses with
deterministic load balancing algorithms later (which requires another fix).
This fixes the problem reported here by Elliot Barlas :
https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144
Should be backported to 1.8.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 95b0b97..b140b60 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4848,10 +4848,8 @@
- connections sent to a server with a TLS SNI extension are marked private
and are never shared;
- - connections receiving a status code 401 or 407 expect some authentication
- to be sent in return. Due to certain bogus authentication schemes (such
- as NTLM) relying on the connection, these connections are marked private
- and are never shared;
+ - connections with certain bogus authentication schemes (relying on the
+ connection) like NTLM are detected, marked private and are never shared;
No connection pool is involved, once a session dies, the last idle connection
it was attached to is deleted at the same time. This ensures that connections
diff --git a/src/proto_http.c b/src/proto_http.c
index 8ac4c01..980525d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3715,8 +3715,6 @@
* it's better to do it (at least it helps with debugging).
*/
s->txn->flags |= TX_PREFER_LAST;
- if (srv_conn)
- srv_conn->flags |= CO_FL_PRIVATE;
}
/* Never ever allow to reuse a connection from a non-reuse backend */
@@ -4380,10 +4378,13 @@
struct http_txn *txn = s->txn;
struct http_msg *msg = &txn->rsp;
struct hdr_ctx ctx;
+ struct connection *srv_conn;
int use_close_only;
int cur_idx;
int n;
+ srv_conn = cs_conn(objt_cs(s->si[1].end));
+
DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%lu analysers=%02x\n",
now_ms, __FUNCTION__,
s,
@@ -4915,6 +4916,27 @@
msg->body_len = msg->chunk_len = cl;
}
+ /* check for NTML authentication headers in 401 (WWW-Authenticate) and
+ * 407 (Proxy-Authenticate) responses and set the connection to private
+ */
+ if (srv_conn && txn->status == 401) {
+ /* check for Negotiate/NTLM WWW-Authenticate headers */
+ ctx.idx = 0;
+ while (http_find_header2("WWW-Authenticate", 16, ci_head(rep), &txn->hdr_idx, &ctx)) {
+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
+ srv_conn->flags |= CO_FL_PRIVATE;
+ }
+ } else if (srv_conn && txn->status == 407) {
+ /* check for Negotiate/NTLM Proxy-Authenticate headers */
+ ctx.idx = 0;
+ while (http_find_header2("Proxy-Authenticate", 18, ci_head(rep), &txn->hdr_idx, &ctx)) {
+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
+ srv_conn->flags |= CO_FL_PRIVATE;
+ }
+ }
+
skip_content_length:
/* Now we have to check if we need to modify the Connection header.
* This is more difficult on the response than it is on the request,