Keep Alive (NTLM)
Problem
I am trying to proxy content and the target server is running NTLM auth. The NTLM spec requires a certain handshake where the first 401 is sent, and the client responds. http://www.innovation.ch/personal/ronald/ntlm.html [code block] I've run wireshark and fiddler and I can see that the connection is NOT being re-used even though the req and res object include the required connection = 'keep-alive'. I've attached screenshots of wireshark showing different ports being used during the multiple stages of NTLM authentication. Doing some research I got conflicting stories on if keep-alive actually does work, and if it does / does not work in node-http-proxy. so far, running through squid-proxy, fiddler, and other proxies wireshark reports the correct re-using of the connection. The only one that does not show this is node-http-proxy (and it's also the only one that isn't able to auth the user correctly). In addition it seems like the headers for www-authenticate are being mangled when there are multiple ones so I had to put in a patch... Without this Firefox, Chrome, IE were not prompting for NTLM authentication because there was only ONE www-authenticate header being returned rather than two separate ones. [code block] Bad (through node-http-proxy) As shown above you can see for each request we grab a new socket (which destroys NTLM auth and proves that it is not doing keep-alive). Good (through fiddler, squid, etc) The above capture shows that with a proxy running (fidd
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Implement Connection Reuse for NTLM Authentication in Node-HTTP-Proxy
Node-http-proxy does not properly manage persistent connections for NTLM authentication, leading to new sockets being created for each request instead of reusing the existing connection. This behavior disrupts the NTLM handshake process, which relies on maintaining the same connection for authentication messages.
Awaiting Verification
Be the first to verify this fix
- 1
Modify Node-HTTP-Proxy to Support Keep-Alive
Update the node-http-proxy configuration to ensure that the 'Connection: keep-alive' header is consistently set for all requests. This will help maintain the connection during the NTLM handshake process.
javascriptproxy.on('proxyReq', function(proxyReq, req, res, options) { proxyReq.setHeader('Connection', 'keep-alive'); }); - 2
Ensure Proper Handling of WWW-Authenticate Headers
Implement a custom middleware to intercept the response and correctly handle multiple 'WWW-Authenticate' headers. This will ensure that both NTLM and any other required authentication schemes are properly communicated to the client.
javascriptproxy.on('proxyRes', function(proxyRes, req, res) { const authHeaders = proxyRes.headers['www-authenticate']; if (Array.isArray(authHeaders)) { res.setHeader('www-authenticate', authHeaders.join(', ')); } }); - 3
Enable Keep-Alive on the HTTP Agent
Configure the HTTP agent used by node-http-proxy to enable keep-alive connections. This will allow the proxy to reuse sockets for multiple requests, which is essential for NTLM authentication.
javascriptconst http = require('http'); const keepAliveAgent = new http.Agent({ keepAlive: true }); proxy = httpProxy.createProxyServer({ agent: keepAliveAgent }); - 4
Test with Multiple Browsers
After implementing the changes, test the proxy with multiple browsers (Firefox, Chrome, IE) to confirm that the NTLM authentication prompts are displayed correctly and that the connection is reused.
Validation
To confirm the fix, use Wireshark to monitor the network traffic during NTLM authentication. Verify that the same socket is reused for multiple requests and that both required 'WWW-Authenticate' headers are present in the response. Additionally, check that browsers prompt for NTLM authentication as expected.
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep