Reverse-proxying an NTLM-protected website

Question

How do I proxy requests to NTLM-protected websites, like TeamFoundation and SharePoint? I keep getting 401 authentication errors.

Answer 1

According to this Microsoft TechNet article, you can't.

Microsoft NTLM uses stateful HTTP, which is a violation of the HTTP/1.1 RFC. It relies on authentication (an affair which involves a handshake with a couple of initial 401 errors) and subsequent connections to be done through the exact same connection from client to server. This makes HTTP proxying nearly impossible, since each request would usually go through either a new or a random connection picked from a pool of open connections. It can be done though.

NGiNX apparently supports this through the "ntlm" option, but this is part of their commercial offering. Apache HTTPD seems to have a couple of experimental patches for this, but this requires rebuilding Apache. TinyProxy doesn't support this either. HAProxy to the rescue!

Here is an example of a running configuration which works - it's a fairly simple setup with a single backend server:

backend backend_tfs
    server static teamfoundation.mycompany.com:8080 check maxconn 3
    mode http
    balance roundrobin
    option http-keep-alive
    option prefer-last-server
    timeout server 30s
    timeout connect 4s

frontend frontend_tfs
    # You probably want something other than 127.0.0.1 here:
    bind 127.0.0.1:8080 name frontend_tfs
    mode http
    option http-keep-alive
    timeout client 30s
    default_backend backend_tfs

The important options here are http-keep-alive and prefer-last-server.