Fix an issue with NTLM authentication #727
Conversation
NTLM authentication sends a challenge and response which translate to www-authenticate fields which are concated into a single string. When you send the response back proxied you need to split the string and send it back as an array. You will still need to create a keepalive agent to use this.
|
👍 |
|
There should be a way to do this without injecting this logic here. Perhaps exposing a way to mutate headers before they are written? |
|
@mburbea you can listen for the |
|
Perhaps I could, but I don't know if this is the best way to resolve this. Proxying NTLM is a very common scenario in corporate settings. This is not some oddball case and most other proxies can actually handle this scenario just find. It is also extremely hard to find documentation on this, and other people who use this tool and need to proxy ntlm would have a much easier time if this was added and certainly documentation about this case would be great. The fact that out of the box, keepalive wasn't configured was actually alarming (without using the agent but using this patch you will get a 400 bad-request on the challenge part of ntlm). I think that the issue in that the two request headers |
|
How exactly could I go about doing this with proxyReq? I can't seem to figure it out and proxyRes I assume is too late in the pipeline to be relevant. |
|
@mburbea I realized you do want var httpProxy = require('http-proxy');
var Agent = require('agentkeepalive');
var agent = new Agent({
maxSockets: 100,
keepAlive: true,
maxFreeSockets: 10,
keepAliveMsecs:1000,
timeout: 60000,
keepAliveTimeout: 30000 // free socket keepalive for 30 seconds
});
var proxy = httpProxy.createProxy({ target: 'http://whatever.com', agent: agent);
// Modify headers of the request before it gets sent
proxy.on('proxyRes', function (proxyRes) {
var key = 'www-authenticate';
proxyRes.headers[key] = proxyRes.headers[key] && proxyRes.headers[key].split(',');
});
require('http').createServer(function (req, res) {
proxy.web(req, res);
}).listen(3000);The rest is taken care of by the exact function you modified since you were able to touch the headers before hand. I will still consider your PR if this use case is large enough, I just dislike the custom logic bit as it seems niche to me. |
|
Thanks that does indeed work. I was able to visit my proxied site. |
|
@mburbea I still believe there should be no agent by default but we should be clear in the documentation that this disables keepalive and to suggest using this module for that particular case. I'd definitely take a PR for the documentation 😄 |
|
+1 |
|
This shouldn't be handled in |
NTLM authentication sends a challenge and response which translate to www-authenticate fields which are concated into a single string. When you send the response back proxied you need to split the string and send it back as an array. You will still need to create a keepalive agent to use this. So I used the library agentkeepalive like so..
To actually use this code a relevant code snippet might be:
/*