OPNsense Caddy Plugin - Didn't forward NTLM

[phillipunzen]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [X ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [X ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [X ] The title contains the plugin to which this issue belongs

Describe the bug I have pulled the OPNsense including caddy reverse proxy to the current version. Unfortunately, NTLM is not forwarded, which I need for the Outlook desktop clients that access my Exchange server.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior:

1. Create Handler
2. Check NTLM

Expected behavior I want to connect my Outlook Clients

Screenshots If applicable, add screenshots to help explain your problem.

[Monviech]

Please show me how the Caddyfile looks like. I want to see if the http_ntlm option is there or not.

Which os-caddy was your prior version and which version are you on now?

EDIT:

As a baseline, last time I tested it with Exchange 2019 and Outlook was when I evaluated NTLM again here: https://github.com/opnsense/plugins/pull/4072

That was after the Binary of Caddy has been updated to 2.8.4. So I tested it in os-caddy-1.5.7.

There hasn't been any difference with the build or with the template in that regard. So essentially there should not be a difference right now.

[phillipunzen]

Sooo... This is a part from the Caddyfile:

# Reverse Proxy Domain: "623c2f46-e854-4811-ae7b-b1f103c01e6c"
*.petersen-nf.com {
        @372ffa3f-9de1-4144-acb3-3ec2c6407d9c {
                host outlook.petersen-nf.com
        }
        handle @372ffa3f-9de1-4144-acb3-3ec2c6407d9c {
                handle {
                        reverse_proxy 192.168.10.14:443 {
                                transport http_ntlm {
                                        tls
                                        tls_insecure_skip_verify
                                        tls_server_name outlook.phillipunzen.de
                                }
                        }
                }
        }
        @96d079b9-d85c-4626-acab-75748bed9f09 {
                host autodiscover.petersen-nf.com
        }
        handle @96d079b9-d85c-4626-acab-75748bed9f09 {
                handle {
                        reverse_proxy 192.168.10.14:443 {
                                transport http_ntlm {
                                        tls
                                        tls_insecure_skip_verify
                                        tls_server_name outlook.phillipunzen.de
                                }
                        }
                }
        }
}

import /usr/local/etc/caddy/caddy.d/*.conf

I use the OPNsense in 27.7_9 and os-caddy in 1.6.1. My OPNsense have no updates at this time...

[Monviech]

I have just set up "Windows Authentication" in an ISS, and set it to NTLM, and protected the default ISS website with it.

Then I tested the authentication with NTLM and without NTLM in Caddy.

Without NTLM aktivated, the login mask appeared after each try.

With NTLM aktivated, I got authenticated.

So it should work essentially.

---

That means there is a configuration error here.

Can you open the Caddyfile /usr/local/etc/caddy/Caddyfile and turn this:

transport http_ntlm {
                                        tls
                                        tls_insecure_skip_verify
                                        tls_server_name outlook....
                                }

Into this:

transport http_ntlm {
                                        tls_insecure_skip_verify
                                }

After editing and saving the Caddyfile, issue a:

service caddy reloadssl

That will reload Caddy without regenerating the template. Afterwards test it again please.

[phillipunzen]

I edit the caddyfile to your schema. I got the same error...

[phillipunzen]

Hm, the OPNsense edit the Caddyfile after a reboot to the old version with tls activated. The config change is not saving...

[Monviech]

Can you configure the server correctly for TLS.

Import the self signed exchange certificate, select it as TLS trust pool.

• NTLM enabled

• TLS enabled

• TLS Trust Pool: Exchange Server certificate

• TLS server name: SAN of the Exchange server certificate

• TLS insecure skip verify DISABLED

Check out the docs: https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webgui

I hope that works, if not, I don't have an exchange server I can test it with anymore. I only confirmed it working with IIS itself.