Changes between Initial Version and Version 1 of NtlmProxyTestSetup


Ignore:
Timestamp:
01/12/24 15:12:08 (8 months ago)
Author:
flichtenheld
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • NtlmProxyTestSetup

    v1 v1  
     1
     2== Setting up a NTLM Proxy for testing NTLM authentication support in OpenVPN
     3
     4Since NTLM is a proprietary authentication protocol only available on Windows, it is not trivial to set up test environments to test the support for using NTLM authentication against HTTP proxy servers that is included in OpenVPN. This document describes one way that worked and proved useful.
     5
     6This is heavily based on a [https://stackoverflow.com/a/48238953/10681123 Stackoverflow answer].
     7
     8
     9=== Installing Apache httpd
     10
     11There exists a [https://github.com/TQsoft-GmbH/mod_authn_ntlm NTLM auth mod] for Apache httpd and Apache httpd can act as an HTTP proxy. This provides a good starting point. The mod only works on Windows machines since it relies on the system's support for NTLM and can't provide the authentication on its own. There are multiple pre-compiled distributions available of Apache httpd for Windows. But [https://www.apachehaus.com/cgi-bin/download.plx?z ApacheHaus] was the only one I found that also provided a pre-compiled version of mod_auth_ntlm. So I used that. Installation is just extracting the archives and following the READMEs.
     12
     13You might need to install a Windows firewall rule to allow access to the port you want Apache listening to.
     14
     15=== Configuring Apache httpd
     16
     17The following configuration worked for me (only showing the parts specific to the proxy):
     18
     19{{{
     20LoadModule proxy_module modules/mod_proxy.so
     21LoadModule proxy_connect_module modules/mod_proxy_connect.so
     22LoadModule proxy_http_module modules/mod_proxy_http.so
     23LoadModule ldap_module modules/mod_ldap.so
     24LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
     25
     26ProxyVia On
     27ProxyRequests On
     28AllowCONNECT 51194
     29
     30<Proxy "*">
     31    AuthName "Private location"
     32    AuthType SSPI
     33    NTLMAuth On
     34    NTLMAuthoritative On
     35    <RequireAll>
     36        <RequireAny>
     37            Require valid-user
     38        </RequireAny>
     39        <RequireNone>
     40            Require user "ANONYMOUS LOGON"
     41        </RequireNone>
     42    </RequireAll>
     43</Proxy>
     44}}}
     45
     46Note the use of `AllowCONNECT` when trying to connect to OpenVPN servers not listening on port 443.