You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kevin Broadey <ke...@ats.uk.eds.com> on 1997/12/17 15:36:04 UTC

mod_proxy/1567: ProxyRemote proxy requests fail authentication by firewall

>Number:         1567
>Category:       mod_proxy
>Synopsis:       ProxyRemote proxy requests fail authentication by firewall
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Dec 17 06:40:01 PST 1997
>Last-Modified:
>Originator:     kevin.broadey@ats.uk.eds.com
>Organization:
apache
>Release:        1.3b3
>Environment:
AIX 4.2
uname -a = AIX jobby 2 4 000810644C00
>Description:
With apache-1.2.4 my httpd.conf file contains the following VirtualHost
section...

Listen www-proxy.ats:8082
<VirtualHost www-proxy.ats:8082>
  ServerName		www-proxy.ats
  ProxyRequests		On
  ProxyRemote		*		http://internet2.eds.com:81
</VirtualHost>

My browser (Netscape Navigator 3.0) is set to make proxy requests to
www-proxy.ats:8082 for all URLs outside the company intranet.  The
ProxyRemote directive in this virtual host forwards them to a firewall
(internet2).

When I attempt to access a URL outside the intranet the firewall
requests a user ID and password.  I enter these in the normal
Navigator dialog box and my request goes out on the internet.

I have tried the same virtual host setting with apache-1.3b3 and it
does not work.  The firewall requests authentication as before and
Navigator pops up its dialog box, but when I enter the correct user ID
and password Navigator comes back with a "Proxy Authorization Failed -
Retry" dialog box.



This problem seems to be restricted to ProxyRemote authentication.  My
apache-1.2.4 httpd.conf also contains this...

Listen www-proxy.ats:8080
<VirtualHost www-proxy.ats:8080>
  ServerName		www-proxy.ats
  ProxyRequests		On
</VirtualHost>

This virtual host allows users on our office LAN to get out onto the
company intranet (the apache server sits on both networks).  Navigator
is set to make proxy requests to www-proxy.ats:8080 for URLs within
the company intranet.  Apache goes and fetches the URL and returns it
to the browser.  If the intranet server requests authentication then
Navigator prompts as before and the request is granted.  This works
for both 1.2.4 and 1.3b3.

-- 
Kevin Broadey, Software Development Manager,    _/_/_/ _/_/_/    _/_/
EDS Ltd, 1-3 Bartley Wood Business Park,       _/     _/    _/ _/
Bartley Way, Hook, Hants, RG27 9XA, England.  _/_/   _/    _/   _/
Tel: +44 1256 748889  Fax: +44 1256 748781   _/     _/    _/     _/
mailto:kevin.broadey@bartley.demon.co.uk    _/_/_/ _/_/_/    _/_/
mailto:kevin.broadey@ats.uk.eds.com
>How-To-Repeat:
1. Set up a firewall proxy server that always requests user authentication.

2. Configure an apache-1.3b3 virtual host to ProxyRemote all proxy requests to the
firewall proxy server.

3. Configure a browser to send proxy requests to the apache-1.3b3 proxy.

4. Use the browser to visit a URL that requires the use of the proxy.

=> The user authentication at the firewall should fail.

Repeat the above with apache-1.2.4.  This should work correctly.
>Fix:
No%2
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]