2

I have several Linux HTTP servers setup with no authentication required to access the web content. I would like for my Windows users to be able to access these sites with pass-through authentication.

I don't want to have to try and set this up on every web server though. My idea is that I could NTLM authenticate them at a reverse proxy and then the proxy could make the unauthenticated request and the web servers would only accept connections from said reverse proxy. Ideally I would be able to restrict access to certain sites/urls based on the users AD group but that is not a requirement.

Most examples/tutorials I have come across in searching are about proxying the credentials all the way to the destination web server but I want the proxy to do the authentication itself. I'm fine with running the proxy in Windows if I need. Whatever is easiest to setup is what I'm looking for.

getsauce
  • 101
  • 1
  • 2
  • 9
  • Sounds like nginx sells it as commercial https://www.nginx.com/solutions/application-security/ – Lex Li Jul 20 '18 at 02:24

1 Answers1

2

I ended up with 2 viable solutions to this problem. Hopefully this will be helpful to anyone trying to setup something similar.

  1. Set up IIS with ARR (Application Request Routing) and enable Windows authentication globally. Then, configure a global authorization rule to allow whichever users you want to be able to authenticate through the reverse proxy. The downsides to this method were that you can't easily set different permissions to different sites if you're proxying more than one. You can specify a "location path" in a URL authorization rule but you can't say server1 allow these users server2 allow these users.

  2. The option I chose to use was running Apache 2.4 w/ a newer NTLM plugin I found on Github (https://github.com/TQsoft-GmbH/mod_authn_ntlm). I didn't come across any drawbacks using this method. Config below.

    <VirtualHost *:*>
  ProxyPass / http://server1/
  ProxyPassReverse / http://server1

  ServerName proxy1

  <Location /* >
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    NTLMOfferBasic On
    <RequireAny>
      Require sspi-user contoso\johnsmith
    </RequireAny>
  </Location>
</VirtualHost>

<VirtualHost *:*>
  ProxyPass / http://server2/
  ProxyPassReverse / http://server2

  ServerName proxy2

  <Location /* >
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    NTLMOfferBasic On
    <RequireAny>
      Require sspi-group "contoso\Domain Users"
    </RequireAny>
  </Location>
</VirtualHost>
getsauce
  • 101
  • 1
  • 2
  • 9