httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deanna Stevenson <dstevens...@gmail.com>
Subject Re: [users@httpd] Apache Reverse Proxy and NTLM Authentication Help!
Date Tue, 14 Nov 2017 21:01:56 GMT
Thanks a lot Yann for your input. Currently we are looking into alternative
authentication methods.

I am running this alongside modsecurity, and I wanted to post Osama
Elnaggar's suggestion here, who was great enough to read my posts both here
and modsecurity list to provide a suggestion. Might help others with
similar problem.
.................
Deanna,

It's pretty clear from your emails here + on the Apache HTTP user's list
that you are trying to get mod_security + Apache reverse proxy up and
running to protect some internal web site (probably Sharepoint) that uses
NTLM/Integrated Windows Authentication.  Given that, here is what I would
suggest:

Try using the prefork configuration as Yann suggested on the Apache HTTP
user's mailing list in response to your NTLM question as it looks like your
setup won't work with event or worker MPMs.  Also, as this will only serve
internal users, the # of concurrent processes you'll have to run using
prefork won't be an issue if you are running this in reverse proxy mode
(I'm guessing that 500 concurrent processes will probably more than
adequately handle your requirements unless you have a ton of internal users
concurrently accessing the internal portal)

You can then stress test it / load test it using JMeter (which has support
for NTLM / Integrated Windows Authentication) with the expected # of
concurrent users you will have to see if it meets your requirements or if
you need to add memory, etc. to your reverse proxy.  You may need to use
more than one machine running JMeter to get to the desired # of simulated
concurrent requests.

As for prefork vs. event or worker, both event and worker are better due to
faster context switching and smaller memory structures but I don't think
it's an option in your use case due to the NTLM requirement and you
shouldn't really have a problem as mentioned above.  Also, as you will be
running a reverse proxy, you'll be running with minimal modules on your
reverse proxy anyway (make sure you don't have any non-necessary modules),
so the additional hit hopefully isn't too great (and you can minimize it by
keeping your KeepAlive timeout short).

Finally, to improve performance, make sure that the origin servers
(Sharepoint) are sending cache-control headers with long validity periods
for static content which isn’t expected to change.  You can additional add
a caching tier for static content at the Apache level as well to improve
performance if needed (mod_cache, mod_file_cache, etc.).  Both of these
will help you handle even more concurrent users.
..................

On Fri, Nov 10, 2017 at 5:42 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:

> Deanna,
>
> On Fri, Nov 10, 2017 at 3:17 AM, Deanna Stevenson <dstevensone@gmail.com>
> wrote:
> > Thanks Yann. I am on ubuntu 16.04 and apache 2.4.8, and looks like the
> MPM
> > module I have right now is "event", which seems to be default for modern
> > OSs. It seems like in 2.4 I can load different MPM modules at run time,
> and
> > don't have to recompile apache. Do you agree?
>
> Yes, no need to recompile, the loaded MPM is per configuration.
> Thus there must be two different Apache httpd instances to run
> different MPMs at the same time.
>
> > If yes, can I switch back and
> > forth between prefork and event easily,
>
> If you want a single instance, that's the one or the other for *all*
> your virtual hosts, but yes you can switch between them with a restart
> (probably not a graceful one).
>
> > or do I need to plan for anything
>
> Personnaly I'd run two separate instances, without touching the existing
> one.
> That implies a separate listening IP addresses (or a different port)
> for the new instance, though.
> The prefork instance would be isolated, with its own configuration
> file probably standalone and simpler than the whole "/etc/apache2/"
> tree for the system's instance (something like a single
> "/etc/apache2/apache2-prefork.conf" per ubuntu nomenclature, with its
> own "LoadModule mpm_prefork_module
> /usr/lib/apache2/modules/mod_mpm_prefork.so").
> Yet the same apache2 binary (and common modules' binaries) would be
> used to run the two instances, that way they will be as usually with
> the system.
> The prefork instance would just have to be started sperately (by the
> system) with a reference to its own configuration file, the way to do
> this depends on your or ubuntu's policy though, either systemd or a
> init.d starter, your choice..
>
> > (other than MPM prefork using more resources, is it going to corrupt any
> > other dependencies?), as this is in production, and am using this in
> > conjunction with mod security.
>
> MPM prefork won't run mod_http2 for example, I think mod_security is
> fine with prefork (not sure).
> This is something very specific to your architecture and applications,
> that's why I wouldn't change something working already and just create
> a new prefork configuration from scratch (or inspired from the
> existing event one) and run it separately.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message