mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2026-01-19 00:51:37 +01:00
f1dccedcf6
In issue #511 a problem was reported regarding NTLM and undesired session sharing. This was caused by an attempt to limit the protection against NTLM breakage to just NTLM and not properly working schemes in commit fd9b68c48 ("BUG/MINOR: only mark connections private if NTLM is detected"). Unfortunately as reported in the issue above, the extent of possible challenges for NTLM is a bit more complex than just the "NTLM" or "Negotiate" words. There's also "Nego2" and these words can be followed by a base64 value, which is not validated here. The list of possible entries doesn't seem to be officially documented but can be reconstructed from different public documents: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/7daaf621-94d9-4942-a70a-532e81ba293e https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/5c1d2bbc-e1d6-458f-9def-dd258c181310 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/9201ed70-d245-41ce-accd-e609637583bf https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/02be79f3-e360-475f-b468-b96c878c70c7 This patch tries to fix all this on top of previous attempts by making as private any connection that returns a www-authenticate header starting with "Nego" or "NTLM". We don't need to be too strict, we really just want to leave the connection shared if really sure it can be. This must be backported to 1.8 but will require some adaptations. In 1.9 and 2.0 the check appears both for legacy and HTX. The simplest thing to do is to look for "Negotiate" and fix all relevant places.
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)