Solved: How can I pass NTLM headers in a health monitor te...

riverbedjo · ‎05-15-2013

I have a bunch of web servers serving an internal intranet. I would like to configure a health monitor that makes a connection to the machine, and effectively logs onto the web server by passing in the NTLM authentication credentials.

If this check is OK, then the server remains in the pool; if this check fails 3 times in a row, server is removed from the pool.

How can I do this?

owen · ‎05-15-2013

You can't do this with the built-in Health Monitors (Feature Brief: Health Monitoring in Stingray Traffic Manager), but you can create a custom health monitor to do this.

There's a good selection of perl, python, ruby and other implementations of NTLM-aware client libraries you can use, but here's a health monitor that just uses wget, so you can run in on the Stingray Virtual Appliance.


#!/bin/bash


# Process the health monitor arguments

args=( [email protected] );

for (( i=0; $i < $# ; i++ ))

do

  [[ "${args[$i]}" =~ --ipaddr= ]] && ipaddr=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --port= ]]  && port=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --node= ]]  && node=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --host= ]]  && host=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --path= ]]  && path=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --user= ]]  && user=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --pass= ]]  && pass=${args[$i]#*=} && continue

  [[ "${args[$i]}" =~ --verbose ]] && verbose="--verbose" && continue

  [[ "${args[$i]}" =~ --failures_left= ]] && failures_left=${args[$i]#*=} && continue

done


# Path and Host header are optional. If we don't have them, set defaults.

[ -z "$path" ] && path="/"

[ -z "$host" ] && host="$node:$port"


# Disable verbose output if not requested.

[ -z "$verbose" ] && verbose=""


# All server headers and body are stored in the output variable.

output=$( wget "--header=Host: $host" --http-user="$user" --http-passwd="$pass" \

  $verbose -O - -S http://$ipaddr:$port$path 2>&1 )


[ $verbose ] && echo $output


# The output will have a few 401, and at least 1 200 response code if we authenticated.

echo $output | grep "HTTP/1.1 200 OK" > /dev/null

result=$?


[ $result -ne 0 ] && echo $output >&2


exit $result

It's a while since I've tested this, so please first give it a go from the command line and verify that it works:


$ ./ntlmtest.sh --ipaddr=1.1.1.1 --port=80 --node=www.foo.com \

    --host=www.foo.com --path=/wibble --user=owen --pass=mememe \

    --verbose --failures_left=2

$ echo $?

If the monitor was successful, then echo $? should print '0'.

When you install this as a custom health monitor, you'll need to add the following parameters:

host (optional): the host header to use in the request; otherwise, we'll guess it from the node's name and port
path (optional): defaults to '/'
user: the NTLM username
pass: the NTLM password

View solution in original post

owen · ‎05-15-2013