Load Balancing NTLM over HTTP with NGINX

Michael B Allen ioplex at gmail.com
Sat Nov 19 03:30:29 UTC 2022


NTLM over HTTP is a 3 request "handshake" that must occur over the same TCP
My HTTP service implements the NTLMSSP acceptor and uses the clients remote
address and port like "" to track the authentication state
of each TCP connection.

My implementation also uses a header called 'Jespa-Connection-Id' that
allows the remote address and port to be supplied externally.
NGINX can use this to act as a proxy for NTLM over HTTP with a config like
the following:

server {
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;

This works fine.

Now I want to load balance NTLM through NGINX. For this I used the

upstream backend {
    server localhost:8080;
    server localhost:8081;

server {
    location / {
        proxy_pass http://backend;
        proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;

This also seems to work fine but I have doubts.
Can NGINX use the same TCP connection to a backend server to send requests
of different client connections?

>From what I can tell, NGINX seems to create a separate TCP connection for
each request.
If this is always true, then it seems this scheme should work.
Can you please confirm that this is how NGINX works?

More generally, do you see any problems with this scheme?

I'm not fluent in NGINX but I want to document this as a possible solution
for my users.


Michael B Allen
Java AD DS Integration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221118/a916f05e/attachment.htm>

More information about the nginx mailing list