Hi Michael, On Sat, Feb 11, 2017 at 07:17:20PM +0100, Michael Hamburger wrote: > Hello :) > > My name is Michael Hamburger and I work for a game development startup. > Currently I am using Docker Flow: Proxy > (https://github.com/vfarcic/docker-flow-proxy) which is based on HAProxy. I > think that's enough of introduction, I don't want to spam and to be honest I > have never used a mailing list before.
Aarrrgh you should be ashamed! Just kidding, you're welcome :-) (...) > Description of what I changed: > > File: /haproxy/include/types/proto_http.h Line: 245 > (https://github.com/haproxy/haproxy/blob/master/include/types/proto_http.h#L245) > Change: I added HTTP_ERR_401 and HTTP_ERR_407 in the correct order. > > File: /haproxy/src/proto_http.c Line: 117 > (https://github.com/haproxy/haproxy/blob/master/src/proto_http.c#L117) > Change: I removed HTTP_401_fmt and HTTP_407_fmt. > > File: /haproxy/src/proto_http.c Line 136 > (https://github.com/haproxy/haproxy/blob/master/src/proto_http.c#L136) > Change: I added [HTTP_ERR_401] = 401 and [HTTP_ERR_407] = 407 in correct > order to the http_err_codes array. > > I also added > > [HTTP_ERR_401] = > "HTTP/1.0 401 Unauthorized\r\n" > "Cache-Control: no-cache\r\n" > "Connection: close\r\n" > "Content-Type: text/html\r\n" > "WWW-Authenticate: Basic realm=\"%s\"\r\n" > "\r\n" > "<html><body><h1>401 Unauthorized</h1>\nYou need a valid user and > password to access this content.\n</body></html>\n" > > [HTTP_ERR_407] = > "HTTP/1.0 407 Unauthorized\r\n" > "Cache-Control: no-cache\r\n" > "Connection: close\r\n" > "Content-Type: text/html\r\n" > "Proxy-Authenticate: Basic realm=\"%s\"\r\n" > "\r\n" > "<html><body><h1>407 Unauthorized</h1>\nYou need a valid user and > password to access this content.\n</body></html>\n" > > to the static const char* http_err_msgs array below. > > File: /haproxy/src/proto_http.c Line: 3485 > (https://github.com/haproxy/haproxy/blob/master/src/proto_http.c#L3485) > Change: Replaced chunk_printf(&trash, (txn->flags & TX_USE_PX_CONN) ? > HTTP_407_fmt : HTTP_401_fmt, auth_realm); with chunk_printf(&trash, > (txn->flags & TX_USE_PX_CONN) ? (const char *)http_error_message(s, > HTTP_ERR_401)->str : (const char *)http_error_message(s, HTTP_ERR_401)->str, > auth_realm); > > Summarize: These are all changes I made. The static error page 401 and 407 > were moved in http_err_msgs array and http_err_codes were added. The HAProxy > allows on my system with the mentioned changes errorfile for http status 401 > and 407 (errorfile 401 /errorfiles/401.http). The self created 401.http file > does have the WWW-Authenticate: Basic realm=\"%s\" header so that the > chunk_printf can add the correct auth_realm. Thanks for the description. However this change causes a big issue which is that a printf-format file is directly exposed outside. The nasty side effect is that someone using 2 "%s" instead of exactly one will cause the process to randomly crash for example, and there's a warning about it just before their declaration, which explains why they were not merged with the other ones. Interestingly your proposal raises a new issue which we didn't think about. Recently a few of us wanted to make the error pages more configurable (typically templates in which we could use some sample expressions, a-la log-format). But your request shows one limit to this model that we also have to take into account. This tends to make me think that most of the time users only need to set the response body and will not care about the headers which will automatically be filled by haproxy. I'm thinking that we could imagine a new way to declare error files with more arguments : errorfile 401 type text/html content 401.html That would remove the need for the "%s" in the www-authenticate field and would make it easier to later implement dynamic contents since our headers would have to be automatically computed already. We could even imagine an extension like this to call a Lua function to produce the page on the fly : errorfile 401 type text/html lua-content page401 In the mean time I think you should continue to use your patch. I'm not seeing anything there that we could take to make it easier for you to maintain it unfortunately. Maybe you're interested in trying to implement the stuff above ? If so, just let me know, I can give you a few hints which could possibly help. Thanks, Willy
