commit 7b728d616e417f0a8cd25375f70b8a332ad23a71 Author: Lukas Tribus Date: Sat Oct 27 20:06:59 2018 +0200 BUG/MINOR: only mark connections private if NTLM is detected Instead of marking all connections that see a 401/407 response private (for connection reuse), this patch detects a RFC4559/NTLM authentication scheme and restricts the private setting to those connections. This is so we can reuse connections with 401/407 responses with deterministic load balancing algorithms later (which requires another fix). This fixes the problem reported here by Elliot Barlas : https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144 Should be backported to 1.8. (cherry picked from commit fd9b68c48ecdba5e7971899f4eec315c8e3a3cfe) Signed-off-by: Willy Tarreau diff --git a/doc/configuration.txt b/doc/configuration.txt index 09980248..43b1b822 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -4798,10 +4798,8 @@ http-reuse { never | safe | aggressive | always } - connections sent to a server with a TLS SNI extension are marked private and are never shared; - - connections receiving a status code 401 or 407 expect some authentication - to be sent in return. Due to certain bogus authentication schemes (such - as NTLM) relying on the connection, these connections are marked private - and are never shared; + - connections with certain bogus authentication schemes (relying on the + connection) like NTLM are detected, marked private and are never shared; No connection pool is involved, once a session dies, the last idle connection it was attached to is deleted at the same time. This ensures that connections diff --git a/src/proto_http.c b/src/proto_http.c index 8f86422d..cde2dbf7 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -4388,8 +4388,6 @@ void http_end_txn_clean_session(struct stream *s) * it's better to do it (at least it helps with debugging). */ s->txn->flags |= TX_PREFER_LAST; - if (srv_conn) - srv_conn->flags |= CO_FL_PRIVATE; } /* Never ever allow to reuse a connection from a non-reuse backend */ @@ -5053,10 +5051,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) struct http_txn *txn = s->txn; struct http_msg *msg = &txn->rsp; struct hdr_ctx ctx; + struct connection *srv_conn; int use_close_only; int cur_idx; int n; + srv_conn = cs_conn(objt_cs(s->si[1].end)); + DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n", now_ms, __FUNCTION__, s, @@ -5588,6 +5589,27 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) msg->body_len = msg->chunk_len = cl; } + /* check for NTML authentication headers in 401 (WWW-Authenticate) and + * 407 (Proxy-Authenticate) responses and set the connection to private + */ + if (srv_conn && txn->status == 401) { + /* check for Negotiate/NTLM WWW-Authenticate headers */ + ctx.idx = 0; + while (http_find_header2("WWW-Authenticate", 16, rep->buf->p, &txn->hdr_idx, &ctx)) { + if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) || + (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4))) + srv_conn->flags |= CO_FL_PRIVATE; + } + } else if (srv_conn && txn->status == 407) { + /* check for Negotiate/NTLM Proxy-Authenticate headers */ + ctx.idx = 0; + while (http_find_header2("Proxy-Authenticate", 18, rep->buf->p, &txn->hdr_idx, &ctx)) { + if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) || + (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4))) + srv_conn->flags |= CO_FL_PRIVATE; + } + } + skip_content_length: /* Now we have to check if we need to modify the Connection header. * This is more difficult on the response than it is on the request,