You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 1999/04/29 16:34:07 UTC
[PATCH] Re: Help with reverse proxy and authentication
Dirk-Willem van Gulik wrote:
> Unfortunately the answer is not soo simple. Are you in a great hurry ?
> if not, I am currently completing a consultancy, which includes a so-
> lution for part of this problem. I intend to silently put this into
> apache two weeks after the last deliverable is accepted, and I
> think it would be a good idea to do the reverse proxy as well.
I decided to investigate where Apache decided that the request was to be
handled by the proxy, and change this from a simple noproxy / proxy
arrangement to three states - NONE, PROXY and REVERSE with the values 0,
1 and 2 respectively. Most of the code tests proxyreq for non zero
status, only the authenticate code cares whether it's REVERSE or PROXY.
The patches are attached.
Can you tell me if my solution is too simplistic? I have tested it, and
it seems to work, but a second opinion would be great.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight...
Re: [PATCH] Re: Help with reverse proxy and authentication
Posted by "Dirk-Willem van Gulik (kim)" <di...@webweaving.org>.
Graham Leggett wrote:
> I decided to investigate where Apache decided that the request was to be
> handled by the proxy, and change this from a simple noproxy / proxy
> arrangement to three states - NONE, PROXY and REVERSE with the values 0,
> 1 and 2 respectively. Most of the code tests proxyreq for non zero
> status, only the authenticate code cares whether it's REVERSE or PROXY.
>
> The patches are attached.
>
> Can you tell me if my solution is too simplistic? I have tested it, and
> it seems to work, but a second opinion would be great.
I have to try this a lot better; and check for the chained case of having
more than one proxy in a row. But the principle is most certainly sound
and certainly the way to go. And I like how general this is; as you could
also use it in the future for things like the FTP proxying.
My compliments. Just submit it I'd say !
Dw.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2a3,5
> > *) Fixed proxy/www authentication mixup when authenticating reverse proxied
> > URLs. [Graham Leggett <mi...@sharp.fm>]
> >
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/include/httpd-old.h Thu Apr 29 15:31:08 1999
> --- src/include/httpd.h Thu Apr 29 15:04:59 1999
> ***************
> *** 653,659 ****
> char *the_request; /* First line of request, so we can log it */
> int assbackwards; /* HTTP/0.9, "simple" request */
> int proxyreq; /* A proxy request (calculated during
> ! * post_read_request or translate_name) */
> int header_only; /* HEAD request, as opposed to GET */
> char *protocol; /* Protocol, as given to us, or HTTP/0.9 */
> int proto_num; /* Number version of protocol; 1.1 = 1001 */
> --- 653,661 ----
> char *the_request; /* First line of request, so we can log it */
> int assbackwards; /* HTTP/0.9, "simple" request */
> int proxyreq; /* A proxy request (calculated during
> ! * post_read_request or translate_name)
> ! * possible values PROXYREQ_NONE,
> ! * PROXYREQ_PROXY, PROXYREQ_REVERSE */
> int header_only; /* HEAD request, as opposed to GET */
> char *protocol; /* Protocol, as given to us, or HTTP/0.9 */
> int proto_num; /* Number version of protocol; 1.1 = 1001 */
> ***************
> *** 780,786 ****
> --- 782,797 ----
> */
> };
>
> + /* Possible values of request_rec->proxyreq. A request could be normal,
> + * proxied or reverse proxied. Normally proxied and reverse proxied are
> + * grouped together as just "proxied", but sometimes it's necessary to
> + * tell the difference between the two, such as for authentication.
> + */
>
> + #define PROXYREQ_NONE 0
> + #define PROXYREQ_PROXY 1
> + #define PROXYREQ_REVERSE 2
> +
> /* Things which are per connection
> */
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/standard/mod_digest-old.c Thu Apr 29 15:29:16 1999
> --- src/modules/standard/mod_digest.c Thu Apr 29 15:19:23 1999
> ***************
> *** 137,143 ****
> static int get_digest_rec(request_rec *r, digest_header_rec * response)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! r->proxyreq ? "Proxy-Authorization"
> : "Authorization");
> int l;
> int s, vk = 0, vv = 0;
> --- 137,143 ----
> static int get_digest_rec(request_rec *r, digest_header_rec * response)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization"
> : "Authorization");
> int l;
> int s, vk = 0, vv = 0;
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/standard/mod_rewrite-old.c Thu Apr 29 15:29:44 1999
> --- src/modules/standard/mod_rewrite.c Thu Apr 29 15:22:29 1999
> ***************
> *** 1125,1131 ****
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = 1;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
> --- 1125,1131 ----
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = PROXYREQ_REVERSE;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
> ***************
> *** 1385,1391 ****
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = 1;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
> --- 1385,1391 ----
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = PROXYREQ_REVERSE;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/proxy/mod_proxy-old.c Thu Apr 29 15:28:12 1999
> --- src/modules/proxy/mod_proxy.c Thu Apr 29 15:25:04 1999
> ***************
> *** 153,159 ****
> && !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
> && ap_matches_request_vhost(r, r->parsed_uri.hostname,
> r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
> ! r->proxyreq = 1;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> --- 153,159 ----
> && !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
> && ap_matches_request_vhost(r, r->parsed_uri.hostname,
> r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
> ! r->proxyreq = PROXYREQ_PROXY;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> ***************
> *** 163,169 ****
> else if (conf->req && r->method_number == M_CONNECT
> && r->parsed_uri.hostname
> && r->parsed_uri.port_str) {
> ! r->proxyreq = 1;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> --- 163,169 ----
> else if (conf->req && r->method_number == M_CONNECT
> && r->parsed_uri.hostname
> && r->parsed_uri.port_str) {
> ! r->proxyreq = PROXYREQ_PROXY;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> ***************
> *** 198,204 ****
> r->filename = ap_pstrcat(r->pool, "proxy:", ent[i].real,
> r->uri + len, NULL);
> r->handler = "proxy-server";
> ! r->proxyreq = 1;
> return OK;
> }
> }
> --- 198,204 ----
> r->filename = ap_pstrcat(r->pool, "proxy:", ent[i].real,
> r->uri + len, NULL);
> r->handler = "proxy-server";
> ! r->proxyreq = PROXYREQ_REVERSE;
> return OK;
> }
> }
> ***************
> *** 304,310 ****
> int maxfwd = strtol(maxfwd_str, NULL, 10);
> if (maxfwd < 1) {
> int access_status;
> ! r->proxyreq = 0;
> if ((access_status = ap_send_http_trace(r)))
> ap_die(access_status, r);
> else
> --- 304,310 ----
> int maxfwd = strtol(maxfwd_str, NULL, 10);
> if (maxfwd < 1) {
> int access_status;
> ! r->proxyreq = PROXYREQ_NONE;
> if ((access_status = ap_send_http_trace(r)))
> ap_die(access_status, r);
> else
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/main/http_protocol-old.c Thu Apr 29 15:27:46 1999
> --- src/main/http_protocol.c Thu Apr 29 15:19:49 1999
> ***************
> *** 1109,1115 ****
> ap_note_auth_failure(r);
> else
> ap_table_setn(r->err_headers_out,
> ! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
> NULL));
> }
> --- 1109,1115 ----
> ap_note_auth_failure(r);
> else
> ap_table_setn(r->err_headers_out,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
> NULL));
> }
> ***************
> *** 1117,1123 ****
> API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
> {
> ap_table_setn(r->err_headers_out,
> ! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
> ap_auth_name(r), r->request_time));
> }
> --- 1117,1123 ----
> API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
> {
> ap_table_setn(r->err_headers_out,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
> ap_auth_name(r), r->request_time));
> }
> ***************
> *** 1125,1131 ****
> API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! r->proxyreq ? "Proxy-Authorization"
> : "Authorization");
> const char *t;
>
> --- 1125,1131 ----
> API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization"
> : "Authorization");
> const char *t;
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/proxy/proxy_ftp-old.c Thu Apr 29 15:28:26 1999
> --- src/modules/proxy/proxy_ftp.c Thu Apr 29 15:25:40 1999
> ***************
> *** 419,425 ****
> */
> static int ftp_unauthorized (request_rec *r, int log_it)
> {
> ! r->proxyreq = 0;
> /* Log failed requests if they supplied a password
> * (log username/password guessing attempts)
> */
> --- 419,425 ----
> */
> static int ftp_unauthorized (request_rec *r, int log_it)
> {
> ! r->proxyreq = PROXYREQ_NONE;
> /* Log failed requests if they supplied a password
> * (log username/password guessing attempts)
> */
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/main/http_request-old.c Thu Apr 29 15:27:59 1999
> --- src/main/http_request.c Thu Apr 29 15:18:03 1999
> ***************
> *** 981,987 ****
> * about proxy authentication. They treat it like normal auth, and then
> * we tweak the status.
> */
> ! if (r->status == AUTH_REQUIRED && r->proxyreq) {
> r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> }
>
> --- 981,987 ----
> * about proxy authentication. They treat it like normal auth, and then
> * we tweak the status.
> */
> ! if (r->status == AUTH_REQUIRED && r->proxyreq == PROXYREQ_PROXY) {
> r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> }
>