You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jon Snow <js...@gatesec.net> on 2005/07/28 02:02:36 UTC

[users@httpd] proxy_ftp base href breaks authorization

Hi,

I run a forward proxy using mod_ftp_proxy through a forward proxy heirarchy. 
The proxy in question is the last in the chain and communicates with the 
Internet. Mod_proxy_ftp will successfully return a directory listing after 
authentication to an FTP site using a user:password combination in the URL. 
The listing html code includes a BASE HREF tag in the HEAD section returned 
in the response to the client. This BASE HREF contains the form ftp://
user@example.com. This overrides the browser base retrieving URL and as there 
is no password included there is a further requirement for an alternate 
method of authentication otherwise the client will need to authenticate for 
every link that is selected. On most browsers I have tested (mozilla, 
firefox, konqueror) this will be done with the Authorization: header and will 
work through the proxy but unfortunately not on my client's IE 6.0 build. 
There is no Authorization header supplied on the initial or subsequent 
requests and so every time a link in the FTP listing is selected the 
authentication process is repeated.

I am assuming at this stage this problem is particular to my client's IE build  
but I am questioning the use of the BASE HREF. I would have thought if a BASE 
HREF is returned it would be of the form ftp://user:password@example.com but 
as the browser already knows this as it's base URL there would be no 
requirement for the BASE HREF in the returned html anyway. The current BASE 
HREF without the password is breaking the links when the Authorization header 
is not being used, but whether the header is used or not the BASE HREF URL 
provides no additional information to the browser.

I have removed the BASE part in the proxy module code and this gets around the 
problem as the browser always sends the user:password in the URL. This then 
simulates squid behaviour.

Does anyone have any idea why/whether the BASE HREF is required in the 
proxy_ftp html code returned to the client?

Thanks,
Jon


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org