Welcome! Log In Create A New Profile

Advanced

NTLM sharepoint when use nginx reverse proxy

Posted by sonpg 
sonpg
NTLM sharepoint when use nginx reverse proxy
February 23, 2018 10:00AM
Hi everyone,

I have issue with authentication when use nginx reverse proxy. it always
require input user/pass
my config file:

#####
upstream test.com {
server test.com;
keepalive 16;
}
server {
listen 80;
server_name test.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://test.com;
proxy_set_header host test.com;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278737#msg-278737

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
sonpg
Re: NTLM sharepoint when use nginx reverse proxy
February 23, 2018 10:20AM
myserver requires NTLM authentication. I access myserver through nginx proxy
and provide correct auth info,but the browser prompt auth again.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278738#msg-278738

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: NTLM sharepoint when use nginx reverse proxy
February 23, 2018 01:40PM
On Fri, Feb 23, 2018 at 04:15:31AM -0500, sonpg wrote:

Hi there,

> myserver requires NTLM authentication. I access myserver through nginx proxy
> and provide correct auth info,but the browser prompt auth again.

http://nginx.org/r/ntlm

nginx does not support NTLM authentication.

If you need something to reverse-proxy a http server that uses NTLM, you
must write the code to make your nginx do it, or you must use something
that is not stock-nginx.

If you choose the latter, "NGINX Plus" is one thing that does advertise
NTLM support. Other things probably exist too.

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Payam Chychi
Re: NTLM sharepoint when use nginx reverse proxy
February 23, 2018 03:10PM
On Fri, Feb 23, 2018 at 4:32 AM Francis Daly <[email protected]> wrote:

> On Fri, Feb 23, 2018 at 04:15:31AM -0500, sonpg wrote:
>
> Hi there,
>
> > myserver requires NTLM authentication. I access myserver through nginx
> proxy
> > and provide correct auth info,but the browser prompt auth again.
>
> http://nginx.org/r/ntlm
>
> nginx does not support NTLM authentication.
>
> If you need something to reverse-proxy a http server that uses NTLM, you
> must write the code to make your nginx do it, or you must use something
> that is not stock-nginx.
>
> If you choose the latter, "NGINX Plus" is one thing that does advertise
> NTLM support. Other things probably exist too.
>
> f
> --
> Francis Daly francis@daoine.org
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Pass it to squid for NTLM auth

> http://mailman.nginx.org/mailman/listinfo/nginx

--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jason Whittington
Re: NTLM sharepoint when use nginx reverse proxy
February 23, 2018 04:30PM
I posted this a few weeks ago – I hope it helps you. I did this with nginx plus, so it may not work if you are using the open-source product.


NTLM authentication authenticates connections instead of requests, and this is somewhat contradicts HTTP protocol, which is expected to be stateless. As a result it doesn't generally work though proxies, including nginx.



NGINX can support it though, you need to use the "ntlm" directive. Below is an [stripped down] example of how I have it set up in front of TFS. I would think Sharepoint would be very similar. This has worked very reliably for like a year.



upstream MyNtlmService {

zone backend;

server 192.168.0.1:8080;

server 192.168.0.2:8080;

#See http://stackoverflow.com/questions/10395807/nginx-close-upstream-connection-after-request

keepalive 64;

#See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm

ntlm;

}

server {

listen 80;



location / {

proxy_read_timeout 60s;

#http://stackoverflow.com/questions/21284935/nginx-reverse-proxy-with-windows-authentication-that-uses-ntlm

proxy_http_version 1.1;

proxy_set_header Connection "";



proxy_pass http:// MyNtlmService /;

}

}








From: nginx [mailto:[email protected]] On Behalf Of Payam Chychi
Sent: Friday, February 23, 2018 8:05 AM
To: nginx@nginx.org
Subject: [IE] Re: NTLM sharepoint when use nginx reverse proxy


On Fri, Feb 23, 2018 at 4:32 AM Francis Daly <[email protected]<mailto:[email protected]>> wrote:
On Fri, Feb 23, 2018 at 04:15:31AM -0500, sonpg wrote:

Hi there,

> myserver requires NTLM authentication. I access myserver through nginx proxy
> and provide correct auth info,but the browser prompt auth again.

http://nginx.org/r/ntlm

nginx does not support NTLM authentication.

If you need something to reverse-proxy a http server that uses NTLM, you
must write the code to make your nginx do it, or you must use something
that is not stock-nginx.

If you choose the latter, "NGINX Plus" is one thing that does advertise
NTLM support. Other things probably exist too.

f
--
Francis Daly [email protected]<mailto:[email protected]>
_______________________________________________
nginx mailing list
[email protected]<mailto:[email protected]>
http://mailman.nginx.org/mailman/listinfo/nginx

Pass it to squid for NTLM auth
--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
sonpg
Re: NTLM sharepoint when use nginx reverse proxy
February 25, 2018 10:50AM
i try and it work but have new issue. Some site i need redirect from port 80
to 443 and it use same port 80 with sharepoint site
My code is:


events {
worker_connections 1024;
}
stream {
upstream ecm.test.com {
hash $remote_addr consistent;
server ecm.test.com:81 weight=5;
}
server {
listen 81; #Line 27

proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ecm.test.com;
}
}

http {
server_tokens off;
proxy_buffering off;
expires 12h;
proxy_redirect off;

# Redirect http://test.com -> https://www.test.com
server {
listen 80;
server_name www.test.com;
#rewrite ^(.*) https://www.test.com permanent;
return 301 https://$host$request_uri;
}

# Redirect http://www.test.com -> https://www.test.com
server {
listen 80;
server_name test.com;
rewrite ^(.*) https://www.test.com permanent;
#return 301 https://$host$request_uri;
}

### Reverse Proxy for WEB02
server {
listen 443 ssl;
server_name www.test.com;
ssl on;
### SSL cert files ###
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;

### ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://web02.test.com;
proxy_set_header host test.com;
}
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278749#msg-278749

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: NTLM sharepoint when use nginx reverse proxy
February 25, 2018 04:40PM
On Sun, Feb 25, 2018 at 04:40:36AM -0500, sonpg wrote:

Hi there,

> i try and it work but have new issue. Some site i need redirect from port 80
> to 443 and it use same port 80 with sharepoint site

What request do you make?

What response do you get?

What response do you want to get instead?

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
sonpg
Re: NTLM sharepoint when use nginx reverse proxy
February 25, 2018 05:40PM
here is my issue,

i using nginx to reverse proxy for sharepoint site: ecm.test.com:80 and
redirect test.com:80 to https://test.com:443.
it show "nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in
use)"

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278753#msg-278753

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: NTLM sharepoint when use nginx reverse proxy
February 25, 2018 10:20PM
On Sun, Feb 25, 2018 at 11:34:17AM -0500, sonpg wrote:

Hi there,

> i using nginx to reverse proxy for sharepoint site: ecm.test.com:80 and
> redirect test.com:80 to https://test.com:443.
> it show "nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in
> use)"

You have something other than this nginx running, which is listening on port 80.

One nginx with two server{} blocks which each "listen 80" is ok. Two
separate nginxs which each "listen 80" is not ok.

Maybe you have an old nginx running, maybe you have another web server running.

Make sure nothing is listening on port 80 before you start this nginx.

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Payam Chychi
Re: NTLM sharepoint when use nginx reverse proxy
February 26, 2018 01:40AM
On Sun, Feb 25, 2018 at 1:18 PM Francis Daly <[email protected]> wrote:

> On Sun, Feb 25, 2018 at 11:34:17AM -0500, sonpg wrote:
>
> Hi there,
>
> > i using nginx to reverse proxy for sharepoint site: ecm.test.com:80 and
> > redirect test.com:80 to https://test.com:443.
> > it show "nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address
> already in
> > use)"
>
> You have something other than this nginx running, which is listening on
> port 80.
>
> One nginx with two server{} blocks which each "listen 80" is ok. Two
> separate nginxs which each "listen 80" is not ok.
>
> Maybe you have an old nginx running, maybe you have another web server
> running.
>
> Make sure nothing is listening on port 80 before you start this nginx.
>
> f
> --
> Francis Daly francis@daoine.org
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


You can’t just install software and expect it to work. Have you drawn up a
design document at all that covers how the connections and handled and
forwarded?

You can’t have multiple processes listening to the same ip:port. You can
get away but changing the ports for different backend applications or use
different ip addresses.

Draw out your design and give it a bit of thought.

> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
my design is : enduser --> nginx --> sites (sharepoint site:443, web:80;
443)
if server listen in 80 will redirect to 443
i try to use stream block but it can't use same port.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278885#msg-278885

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: NTLM sharepoint when use nginx reverse proxy
March 02, 2018 05:00PM
On Fri, Mar 02, 2018 at 05:30:00AM -0500, sonpg wrote:

Hi there,

> my design is : enduser --> nginx --> sites (sharepoint site:443, web:80;
> 443)
> if server listen in 80 will redirect to 443

That seems generally sensible.

> i try to use stream block but it can't use same port.

Ah: you have one nginx, but with one "stream { server { listen 80; } }"
and also one "http { server { listen 80; } }".

Yes, that will not work. (And is not a case I had imagined, when I sent
the previous mail.)

If you use both stream and http, they cannot both listen on the same ip:port.

You use "http" because you want nginx to reverse-proxy one or more
web sites. You use "stream" because you want nginx to reverse-proxy
one ntlm-authentication web site, and you know that nginx does not
reverse-proxy ntlm.

You use "stream" to send all inbound traffic to a specific backend server,
in order to get around nginx's lack of ntlm support. You can do that,
but you can not also use "http" on the same port, because that would
want to handle the same inbound traffic.

So you must choose to stop supporting the ntlm web site, or to stop
supporting more-than-one web site, or to use something other than nginx.

(Or to put the ntlm stream listener and the http listener on different
ip:ports -- you might be able to use multiple IP addresses, depending
on your setup.)

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
i try to using diffirent port but sharepoint site get error:
ERR_EMPTY_RESPONSE


stream {
upstream ecm {
hash $remote_addr consistent;
server ecm.test.vn:80 weight=5;
server 10.68.8.182:80 max_fails=3 fail_timeout=30s;
server ecm.test.vn:443 weight=5;
server 10.68.8.182:444 max_fails=3 fail_timeout=30s;
ntlm on;
}

server {
listen 444 ssl; #Line 27


ssl_certificate /etc/nginx/ssl/test/test.pem;
ssl_certificate_key /etc/nginx/ssl/test/test.key;
ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ecm.test.vn;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278737,278914#msg-278914

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login