This is a fix that went into v1.3 quite a while back, but not into v2.0.

It sorts out the problem when a password protected reverse proxy URL
sends a Proxy-Authenticate to a browser instead of a WWW-Authenticate.

This patch covers the changes to the httpd-2.0 tree.

Submitted by:	Graham Leggett
Reviewed by:	Chuck Murcko

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@88527 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 3824250e0b6316981108b87525163d0b2b475adf..123f6e02d369a99593050838c176be1e9a8a4440 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -37,6 +37,10 @@ Changes with Apache 2.0.15-dev
      entire content.  It is far safer to just remove the C-L as long
      as we are scanning it.  [Ryan Bloom]
 
+  *) Make sure Apache sends WWW-Authenticate during a reverse proxy
+     request and not Proxy-Authenticate.
+     [Graham Leggett <minfrin@sharp.fm>]
+
 Changes with Apache 2.0.14
 
   *) Fix content-length computation.  We ONLY compute a content-length if

diff --git a/include/httpd.h b/include/httpd.h
index b8ebd49070743d0ae8d234edce7e7681c9f0a933..0c41123a2e32bd4c7c03c6266859a8ad4486cabf 100644 (file)
--- a/include/httpd.h
+++ b/include/httpd.h
@@ -615,7 +615,9 @@ struct request_rec {
     char *the_request;
     /** HTTP/0.9, "simple" request */
     int assbackwards;
-    /** A proxy request (calculated during post_read_request/translate_name) */
+    /** A proxy request (calculated during post_read_request/translate_name)
+     *  possible values PROXYREQ_NONE, PROXYREQ_PROXY, PROXYREQ_REVERSE
+     */
     int proxyreq;
     /** HEAD request, as opposed to GET */
     int header_only;
@@ -807,6 +809,16 @@ struct request_rec {
  */
 };
 
+/** Possible values of request_rec->proxyreq. A request could be normal,
+ *  proxied or reverse proxied. Normally proxied and reverse proxied are
+ *  grouped together as just "proxied", but sometimes it's necessary to
+ *  tell the difference between the two, such as for authentication.
+ */
+
+#define PROXYREQ_NONE 0
+#define PROXYREQ_PROXY 1
+#define PROXYREQ_REVERSE 2
+
 
 /** Structure to store things which are per connection */
 struct conn_rec {

diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index e532b96826304c874b1f6a788fe3849080daa021..4359620549cec6334744d39d61007a1d158ba0fb 100644 (file)
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -854,7 +854,7 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
     char *key, *value;
 
     auth_line = apr_table_get(r->headers_in,
-                            r->proxyreq ? "Proxy-Authorization"
+                            (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
                                         : "Authorization");
     if (!auth_line) {
        resp->auth_hdr_sts = NO_HEADER;
@@ -1322,7 +1322,7 @@ static void note_digest_auth_failure(request_rec *r,
     }
 
     apr_table_mergen(r->err_headers_out,
-                   r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+                   (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
                    apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s\", "
                                         "algorithm=%s%s%s%s%s",
                                ap_auth_name(r), nonce, conf->algorithm,
@@ -2050,7 +2050,7 @@ static int add_auth_info(request_rec *r)
 
     if (ai && ai[0])
        apr_table_mergen(r->headers_out,
-                       r->proxyreq ? "Proxy-Authentication-Info"
+                       (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authentication-Info"
                                    : "Authentication-Info",
                        ai);
     return OK;

diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index 1c7018bad58a22982dc2e2a483f522f2c290c138..5e528a4ec7e596586c5416782da42024cc3fa240 100644 (file)
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -135,7 +135,7 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
      * about proxy authentication.  They treat it like normal auth, and then
      * we tweak the status.
      */
-    if (r->status == HTTP_UNAUTHORIZED && r->proxyreq) {
+    if (HTTP_UNAUTHORIZED == r->status && PROXYREQ_PROXY == r->proxyreq) {
         r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
     }
 

diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c
index e11bde869a59eb2a74cc2c7dfff8343adcf6a683..bbeee8fe3d81990b2c817f414a9cab024505a15c 100644 (file)
--- a/modules/http/mod_mime.c
+++ b/modules/http/mod_mime.c
@@ -720,10 +720,7 @@ static int find_ct(request_rec *r)
 
         /* Check for a special handler, but not for proxy request */
         if ((type = apr_table_get(conf->handlers, ext))
-#if 0  
-       /* XXX fix me when the proxy code is updated */
-           && r->proxyreq == NOT_PROXY) 
-#endif
+           && (PROXYREQ_NONE == r->proxyreq) 
         ) {
             r->handler = type;
             found = 1;

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 96863d9bc47919ff6f8e2c88670824e696044f7d..a5c4563bff36cc636d6d99a43ef026969c2d01b4 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -1127,7 +1127,7 @@ static int hook_uri2file(request_rec *r)
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXYREQ_REVERSE;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
@@ -1378,7 +1378,7 @@ static int hook_fixup(request_rec *r)
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXYREQ_REVERSE;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "

diff --git a/server/protocol.c b/server/protocol.c
index aa8308e05d324caf3f092925ab370d7e8d151824..978ad7e888a4cd2fbb22e56ca4ecd0a20d7feaba 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1081,7 +1081,7 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r)
         ap_note_auth_failure(r);
     else
         apr_table_setn(r->err_headers_out,
-                  r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+                  (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
                   apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
                           NULL));
 }
@@ -1089,7 +1089,7 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r)
 AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
 {
     apr_table_setn(r->err_headers_out,
-           r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+           (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
            apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%llx\"",
                ap_auth_name(r), r->request_time));
 }
@@ -1097,7 +1097,7 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
 AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
 {
     const char *auth_line = apr_table_get(r->headers_in,
-                                      r->proxyreq ? "Proxy-Authorization"
+                                      (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
                                                   : "Authorization");
     const char *t;