PR 39673 revealed a problem with NTLM and mod_proxy_http.
Actually NTLM does not work any longer with proxied backends doing NTLM
authentication.
As far as I understand NTLM the current 2.2.x proxy implementation does NOT
support
it, because there is no guarantee that the same backend connection is used for
the next request on a keepalive frontend connection. Each request from a
frontend connection leases a backend connection from a connection pool for the
request and returns it back to the pool immediately after the request has been
processed. When the next request on this keepalive frontend connection is
processed it may lease a different backend connection from the pool.
This raises two questions for me:
1. The current approach of leasing connections from the pool on request base
means,
that a keepalive frontend connection may use a different backend connection
for
each request and that a keepalive backend connection may be used by
different frontend
connections. Does this approach violate any RFC's we claim to implement /
support?
2. If the answer to 1. is no, the question that remains is: Do we claim / want
to support
NTLM on proxied backends. As far as I understand there is no official spec
for NTLM, correct?
Regards
RĂ¼diger