-1

Is there any solution to not only proxy NTLM but to convert HTTP Basic Auth on the input side to NTLM on the output side?

Background: An internal SharePoint server using NTLM Auth should be accessible via an Apache reverse proxy. The problem is NTLM is stateful and mod_proxy can’t deal with it. Now Apache with mod_proxy could just provide Basic Auth (and authenticate via a passwd file or similar) and proxy to another internal Basic-Auth-to-NTLM translator. This just reads our http Auth credentials and passes them to SharePoint server.

2
  • Use Nginx Plus or Caddy server who can properly reverse proxy the NTLM auth. Commented May 19 at 8:42
  • @NikitaKipriyanov thank you. One issue is that there is only one public IP available and Apache is already running on ports 443/80, so I’d want to use Apache as a reverse proxy. That got me the idea of the auth translator. I could use two proxies (Apache proxies to Nginx plus or Caddy) but that would just push the problem one step.
    – divB
    Commented May 20 at 7:21

1 Answer 1

2

There is no purely Apache-based solution in existence. Your options (I know of and tried myself) are:

  • Caddy — free, albeit need to custom build, which is possible using their web interface, a service that can co-exist with anything, and
  • Kerio Control ­— paid, easier to set up, requires a small dedicated virtual machine.

There is also Nginx Plus which claims the support, but I didn't tried it.

You can put your new reverse proxy in front of that Apache. Not "Apache serves something and proxies something" but a-la "Caddy proxies everything, distributing between different back ends". That would result in a better overall architecture with clearly defined roles and weak service inter-dependence: a proxy server does only proxying, while web server does only serving, and each part can be replaced or managed independently (e.g. by different teams of admins, etc.).


If you choose to go with Caddy, first you need to move Apache to some ports other than 80/443. There will listen Caddy, which must not only reverse proxy your NTLM stuff, but also the stuff Apache is serving. As a bonus point, you may use Caddy's automatic SSL features (it has e.g. built-in ACME client, to interact with Let's Encrypt and Zero SSL), strip SSL and only use one non-default port for Apache's HTTP.

Or, you can move all the load onto Caddy altogether, getting rid of Apache. But I wouldn't do that.

Alternatively, you can run a dedicated small VM (or container) with just Caddy and expose it to outside; this is the solution I ended up with in the past when I was solving exactly same problem (the reverse proxy for OWA and some other web site, using only a single public IP address). This also would be the only possible solution if you choose Kerio.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .