一次項目中使用開源nginx反向代理NTLM的windows身份驗證出現反覆登錄框,最終分析屬於keepalive 在NTLM認證過程當中發生變化致使。html
據此,將nginx.conf 配置修改以下nginx
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
# upstram 負載定義中需添加keepalive
upstream adrms_service {
ip_hash;
server 192.168.1.1:443;
server 192.168.1.2:443;
keepalive 32;
}
# 強制80端口轉443
server {
listen 80;
server_name adrms.example.com;
rewrite ^(.*) https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name adrms.example.com;
ssl_certificate cert/adrms.example.com.pem;
ssl_certificate_key cert/adrms.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!NULL:!MD5:!RC4:!DHE:!AESGCM:!DH:!EDH;
ssl_prefer_server_ciphers on;
charset UTF-8;
#location 需添加proxy_http_version 1.1 和 proxy_set_header Commection "";
location / {
proxy_buffer_size 64k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
if ( $request_uri = "/" ) {
rewrite ^ $scheme://$host/_wmcs/licensing/license.asmx break;
}
proxy_pass https://adrms_service;
}
}
}
如採用nginx plus版本,能夠直接在在upstream區域添加專用的語句 ntlm;windows
upstream adrms_service {
ip_hash;
server 192.168.1.1:443;
server 192.168.1.2:443;
ntlm;
}
如上,便可實現nginx代理ntlm驗證,無需lua編碼或使用商業版nginx plus。session