Hi all,
This is a fix that went into v1.3 quite a while back, but not into v2.0.
It sorts out the problem when a password protected reverse proxy URL
sends a Proxy-Authenticate to a browser instead of a WWW-Authenticate.
The first attached patch covers the changes to the httpd-2.0 tree.
The second attached patch covers changes to httpd-proxy, and requires
the first patch (the first does not require the second). I'll sort the
second patch out once the first has been committed.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/CHANGES sandbox/proxy/httpd-2.0/CHANGES
*** pristine/httpd-2.0/CHANGES Tue Mar 13 00:24:07 2001
--- sandbox/proxy/httpd-2.0/CHANGES Tue Mar 13 13:25:27 2001
***************
*** 22,27 ****
--- 22,31 ----
entire content. It is far safer to just remove the C-L as long
as we are scanning it. [Ryan Bloom]
+ *) Make sure Apache sends WWW-Authenticate during a reverse proxy
+ request and not Proxy-Authenticate.
+ [Graham Leggett <[EMAIL PROTECTED]>]
+
Changes with Apache 2.0.14
*) Fix content-length computation. We ONLY compute a content-length if
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/include/httpd.h sandbox/proxy/httpd-2.0/include/httpd.h
*** pristine/httpd-2.0/include/httpd.h Tue Mar 13 00:26:42 2001
--- sandbox/proxy/httpd-2.0/include/httpd.h Tue Mar 13 12:08:29 2001
***************
*** 615,621 ****
char *the_request;
/** HTTP/0.9, "simple" request */
int assbackwards;
! /** A proxy request (calculated during post_read_request/translate_name) */
int proxyreq;
/** HEAD request, as opposed to GET */
int header_only;
--- 615,623 ----
char *the_request;
/** HTTP/0.9, "simple" request */
int assbackwards;
! /** A proxy request (calculated during post_read_request/translate_name)
! * possible values PROXYREQ_NONE, PROXYREQ_PROXY, PROXYREQ_REVERSE
! */
int proxyreq;
/** HEAD request, as opposed to GET */
int header_only;
***************
*** 806,811 ****
--- 808,823 ----
* binary compatibility for some other reason.
*/
};
+
+ /** Possible values of request_rec->proxyreq. A request could be normal,
+ * proxied or reverse proxied. Normally proxied and reverse proxied are
+ * grouped together as just "proxied", but sometimes it's necessary to
+ * tell the difference between the two, such as for authentication.
+ */
+
+ #define PROXYREQ_NONE 0
+ #define PROXYREQ_PROXY 1
+ #define PROXYREQ_REVERSE 2
/** Structure to store things which are per connection */
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/modules/aaa/mod_auth_digest.c
sandbox/proxy/httpd-2.0/modules/aaa/mod_auth_digest.c
*** pristine/httpd-2.0/modules/aaa/mod_auth_digest.c Thu Mar 1 01:55:03 2001
--- sandbox/proxy/httpd-2.0/modules/aaa/mod_auth_digest.c Tue Mar 13 12:41:39
2001
***************
*** 854,860 ****
char *key, *value;
auth_line = apr_table_get(r->headers_in,
! r->proxyreq ? "Proxy-Authorization"
: "Authorization");
if (!auth_line) {
resp->auth_hdr_sts = NO_HEADER;
--- 854,860 ----
char *key, *value;
auth_line = apr_table_get(r->headers_in,
! (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
: "Authorization");
if (!auth_line) {
resp->auth_hdr_sts = NO_HEADER;
***************
*** 1322,1328 ****
}
apr_table_mergen(r->err_headers_out,
! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s\", "
"algorithm=%s%s%s%s%s",
ap_auth_name(r), nonce, conf->algorithm,
--- 1322,1328 ----
}
apr_table_mergen(r->err_headers_out,
! (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" :
"WWW-Authenticate",
apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s\", "
"algorithm=%s%s%s%s%s",
ap_auth_name(r), nonce, conf->algorithm,
***************
*** 2050,2056 ****
if (ai && ai[0])
apr_table_mergen(r->headers_out,
! r->proxyreq ? "Proxy-Authentication-Info"
: "Authentication-Info",
ai);
return OK;
--- 2050,2056 ----
if (ai && ai[0])
apr_table_mergen(r->headers_out,
! (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authentication-Info"
: "Authentication-Info",
ai);
return OK;
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/modules/http/http_request.c
sandbox/proxy/httpd-2.0/modules/http/http_request.c
*** pristine/httpd-2.0/modules/http/http_request.c Mon Mar 5 05:43:56 2001
--- sandbox/proxy/httpd-2.0/modules/http/http_request.c Tue Mar 13 12:17:12 2001
***************
*** 135,141 ****
* about proxy authentication. They treat it like normal auth, and then
* we tweak the status.
*/
! if (r->status == HTTP_UNAUTHORIZED && r->proxyreq) {
r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
}
--- 135,141 ----
* about proxy authentication. They treat it like normal auth, and then
* we tweak the status.
*/
! if (HTTP_UNAUTHORIZED == r->status && PROXYREQ_PROXY == r->proxyreq) {
r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
}
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/modules/http/mod_mime.c
sandbox/proxy/httpd-2.0/modules/http/mod_mime.c
*** pristine/httpd-2.0/modules/http/mod_mime.c Sun Feb 25 01:51:31 2001
--- sandbox/proxy/httpd-2.0/modules/http/mod_mime.c Tue Mar 13 12:54:20 2001
***************
*** 720,729 ****
/* Check for a special handler, but not for proxy request */
if ((type = apr_table_get(conf->handlers, ext))
! #if 0
! /* XXX fix me when the proxy code is updated */
! && r->proxyreq == NOT_PROXY)
! #endif
) {
r->handler = type;
found = 1;
--- 720,726 ----
/* Check for a special handler, but not for proxy request */
if ((type = apr_table_get(conf->handlers, ext))
! && (PROXYREQ_NONE == r->proxyreq)
) {
r->handler = type;
found = 1;
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/modules/mappers/mod_rewrite.c
sandbox/proxy/httpd-2.0/modules/mappers/mod_rewrite.c
*** pristine/httpd-2.0/modules/mappers/mod_rewrite.c Sat Mar 10 17:51:00 2001
--- sandbox/proxy/httpd-2.0/modules/mappers/mod_rewrite.c Tue Mar 13 12:25:51
2001
***************
*** 1127,1133 ****
}
/* now make sure the request gets handled by the proxy handler */
! r->proxyreq = 1;
r->handler = "proxy-server";
rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
--- 1127,1133 ----
}
/* now make sure the request gets handled by the proxy handler */
! r->proxyreq = PROXYREQ_REVERSE;
r->handler = "proxy-server";
rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
***************
*** 1378,1384 ****
}
/* now make sure the request gets handled by the proxy handler */
! r->proxyreq = 1;
r->handler = "proxy-server";
rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
--- 1378,1384 ----
}
/* now make sure the request gets handled by the proxy handler */
! r->proxyreq = PROXYREQ_REVERSE;
r->handler = "proxy-server";
rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
diff -c -r --exclude=srcutils/apr --exclude=modules/proxy --exclude=CVS
pristine/httpd-2.0/server/protocol.c sandbox/proxy/httpd-2.0/server/protocol.c
*** pristine/httpd-2.0/server/protocol.c Wed Mar 7 18:01:28 2001
--- sandbox/proxy/httpd-2.0/server/protocol.c Tue Mar 13 12:14:20 2001
***************
*** 1068,1074 ****
ap_note_auth_failure(r);
else
apr_table_setn(r->err_headers_out,
! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
NULL));
}
--- 1068,1074 ----
ap_note_auth_failure(r);
else
apr_table_setn(r->err_headers_out,
! (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" :
"WWW-Authenticate",
apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
NULL));
}
***************
*** 1076,1082 ****
AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
{
apr_table_setn(r->err_headers_out,
! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%llx\"",
ap_auth_name(r), r->request_time));
}
--- 1076,1082 ----
AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
{
apr_table_setn(r->err_headers_out,
! (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" :
"WWW-Authenticate",
apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%llx\"",
ap_auth_name(r), r->request_time));
}
***************
*** 1084,1090 ****
AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
{
const char *auth_line = apr_table_get(r->headers_in,
! r->proxyreq ? "Proxy-Authorization"
: "Authorization");
const char *t;
--- 1084,1090 ----
AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
{
const char *auth_line = apr_table_get(r->headers_in,
! (PROXYREQ_PROXY == r->proxyreq) ?
"Proxy-Authorization"
: "Authorization");
const char *t;
diff -c -r --exclude=CVS pristine/httpd-proxy/module-2.0/mod_proxy.c
sandbox/proxy/httpd-2.0/modules/proxy/mod_proxy.c
*** pristine/httpd-proxy/module-2.0/mod_proxy.c Mon Mar 12 00:33:08 2001
--- sandbox/proxy/httpd-2.0/modules/proxy/mod_proxy.c Tue Mar 13 12:20:41 2001
***************
*** 156,162 ****
&& !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
&& ap_matches_request_vhost(r, r->parsed_uri.hostname,
r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
! r->proxyreq = 1;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
r->handler = "proxy-server";
--- 156,162 ----
&& !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
&& ap_matches_request_vhost(r, r->parsed_uri.hostname,
r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
! r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
r->handler = "proxy-server";
***************
*** 166,172 ****
else if (conf->req && r->method_number == M_CONNECT
&& r->parsed_uri.hostname
&& r->parsed_uri.port_str) {
! r->proxyreq = 1;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
r->handler = "proxy-server";
--- 166,172 ----
else if (conf->req && r->method_number == M_CONNECT
&& r->parsed_uri.hostname
&& r->parsed_uri.port_str) {
! r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
r->handler = "proxy-server";
***************
*** 201,207 ****
r->filename = apr_pstrcat(r->pool, "proxy:", ent[i].real,
r->uri + len, NULL);
r->handler = "proxy-server";
! r->proxyreq = 1;
return OK;
}
}
--- 201,207 ----
r->filename = apr_pstrcat(r->pool, "proxy:", ent[i].real,
r->uri + len, NULL);
r->handler = "proxy-server";
! r->proxyreq = PROXYREQ_REVERSE;
return OK;
}
}
***************
*** 303,309 ****
long maxfwd = strtol(maxfwd_str, NULL, 10);
if (maxfwd < 1) {
int access_status;
! r->proxyreq = 0;
if ((access_status = ap_send_http_trace(r)))
ap_die(access_status, r);
else
--- 303,309 ----
long maxfwd = strtol(maxfwd_str, NULL, 10);
if (maxfwd < 1) {
int access_status;
! r->proxyreq = PROXYREQ_NONE;
if ((access_status = ap_send_http_trace(r)))
ap_die(access_status, r);
else
diff -c -r --exclude=CVS pristine/httpd-proxy/module-2.0/proxy_ftp.c
sandbox/proxy/httpd-2.0/modules/proxy/proxy_ftp.c
*** pristine/httpd-proxy/module-2.0/proxy_ftp.c Sun Feb 11 01:12:43 2001
--- sandbox/proxy/httpd-2.0/modules/proxy/proxy_ftp.c Tue Mar 13 12:21:53 2001
***************
*** 438,444 ****
*/
static int ftp_unauthorized (request_rec *r, int log_it)
{
! r->proxyreq = 0;
/* Log failed requests if they supplied a password
* (log username/password guessing attempts)
*/
--- 438,444 ----
*/
static int ftp_unauthorized (request_rec *r, int log_it)
{
! r->proxyreq = PROXYREQ_NONE;
/* Log failed requests if they supplied a password
* (log username/password guessing attempts)
*/
