使用NTLM的windows身份验证的nginx反向代理
一次项目中使用开源nginx反向代理NTLM的windows身份验证出现反复登陆框,最终分析属于keepalive 在NTLM认证过程中发生变化导致。
据此,将nginx.conf 配置修改如下
worker_processes auto; worker_rlimit_nofile 65535; events { worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; keepalive_timeout 65;
# upstram 负载定义中需添加keepalive upstream adrms_service { ip_hash; server 192.168.1.1:443; server 192.168.1.2:443; keepalive 32; }
# 强制80端口转443
server { listen 80; server_name adrms.example.com; rewrite ^(.*) https://$server_name$request_uri? permanent; } server { listen 443 ssl; server_name adrms.example.com; ssl_certificate cert/adrms.example.com.pem; ssl_certificate_key cert/adrms.example.com.key; ssl_session_cache shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!NULL:!MD5:!RC4:!DHE:!AESGCM:!DH:!EDH; ssl_prefer_server_ciphers on; charset UTF-8;
#location 需添加proxy_http_version 1.1 和 proxy_set_header Commection ""; location / { proxy_buffer_size 64k; proxy_buffers 32 32k; proxy_busy_buffers_size 128k; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; if ( $request_uri = "/" ) { rewrite ^ $scheme://$host/_wmcs/licensing/license.asmx break; } proxy_pass https://adrms_service; } } }
如采用nginx plus版本,可以直接在在upstream区域添加专用的语句 ntlm;
upstream adrms_service { ip_hash; server 192.168.1.1:443; server 192.168.1.2:443; ntlm; }
如上,即可实现nginx代理ntlm验证,无需lua编码或使用商业版nginx plus。