You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by sameer <sa...@c2.net> on 1997/07/17 07:35:33 UTC
proxy auth
I had no comments on my proxy auth thing so I wrote up the
patch. Included here. This enables 407 responses if r->proxyreq is
set, and squishes the Proxy-Authorization header so it doesn't get
passed on to the reomte server.
I've tested this with NS 3.01, and it worked.
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.339
diff -c -r1.339 CHANGES
*** CHANGES 1997/07/16 23:14:22 1.339
--- CHANGES 1997/07/17 05:29:21
***************
*** 1,5 ****
--- 1,8 ----
Changes with Apache 1.3
+ *) Support Proxy Authentication, and don't pass the Proxy-Authorize
+ header to the remote host in the proxy. [Sameer Parekh]
+
*) Extended SSI (mod_include) now handles additional relops for
string comparisons (<, >, <=, and >=). [Bruno Wolff III] PR#41
Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_protocol.c,v
retrieving revision 1.139
diff -c -r1.139 http_protocol.c
*** http_protocol.c 1997/07/15 22:36:51 1.139
--- http_protocol.c 1997/07/17 05:29:47
***************
*** 896,902 ****
if (strcasecmp(auth_type(r), "Basic"))
note_auth_failure(r);
else
! table_set (r->err_headers_out, "WWW-Authenticate",
pstrcat(r->pool, "Basic realm=\"", auth_name(r), "\"", NULL));
}
--- 896,903 ----
if (strcasecmp(auth_type(r), "Basic"))
note_auth_failure(r);
else
! table_set (r->err_headers_out, r->proxyreq ? "Proxy-Authenticate" :
! "WWW-Authenticate",
pstrcat(r->pool, "Basic realm=\"", auth_name(r), "\"", NULL));
}
***************
*** 905,918 ****
char nonce[256];
ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time);
! table_set (r->err_headers_out, "WWW-Authenticate",
pstrcat(r->pool, "Digest realm=\"", auth_name(r),
"\", nonce=\"", nonce, "\"", NULL));
}
API_EXPORT(int) get_basic_auth_pw (request_rec *r, char **pw)
{
! const char *auth_line = table_get (r->headers_in, "Authorization");
char *t;
if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
--- 906,922 ----
char nonce[256];
ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time);
! table_set (r->err_headers_out, r->proxyreq ? "Proxy-Authenticate" :
! "WWW-Authenticate",
pstrcat(r->pool, "Digest realm=\"", auth_name(r),
"\", nonce=\"", nonce, "\"", NULL));
}
API_EXPORT(int) get_basic_auth_pw (request_rec *r, char **pw)
{
! const char *auth_line = table_get (r->headers_in, r->proxyreq ?
! "Proxy-Authorization" :
! "Authorization");
char *t;
if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
***************
*** 925,938 ****
if(!auth_line) {
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
if (strcmp(getword (r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
log_reason ("client used wrong authentication scheme", r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
t = uudecode (r->pool, auth_line);
--- 929,944 ----
if(!auth_line) {
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
if (strcmp(getword (r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
log_reason ("client used wrong authentication scheme", r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
t = uudecode (r->pool, auth_line);
***************
*** 1692,1697 ****
--- 1698,1704 ----
"Vary",
"Warning",
"WWW-Authenticate",
+ "Proxy-Authenticate",
NULL);
terminate_header(r->connection->client);
***************
*** 1797,1802 ****
--- 1804,1810 ----
escape_html(r->pool, location), "<BR>\nYou will need to ",
"configure your client to use that proxy.<P>\n", NULL);
break;
+ case HTTP_PROXY_AUTHENTICATION_REQUIRED:
case AUTH_REQUIRED:
bputs("This server could not verify that you\n", fd);
bputs("are authorized to access the document you\n", fd);
Index: mod_auth.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth.c,v
retrieving revision 1.18
diff -c -r1.18 mod_auth.c
*** mod_auth.c 1997/07/15 22:36:51 1.18
--- mod_auth.c 1997/07/17 05:29:52
***************
*** 203,216 ****
ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
/* anyone know where the prototype for crypt is? */
if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
return OK;
}
--- 203,218 ----
ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
/* anyone know where the prototype for crypt is? */
if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
return OK;
}
***************
*** 277,283 ****
return DECLINED;
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
module MODULE_VAR_EXPORT auth_module = {
--- 279,285 ----
return DECLINED;
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED : AUTH_REQUIRED);
}
module MODULE_VAR_EXPORT auth_module = {
Index: mod_auth_anon.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_anon.c,v
retrieving revision 1.16
diff -c -r1.16 mod_auth_anon.c
*** mod_auth_anon.c 1997/06/17 00:09:13 1.16
--- mod_auth_anon.c 1997/07/17 05:29:55
***************
*** 251,257 ****
"Anonymous: Authoritative, Passwd <%s> not accepted",
send_pw ? send_pw : "\'none\'");
log_error(errstr,r->server);
! return AUTH_REQUIRED;
}
/* Drop out the bottom to return DECLINED */
}
--- 251,258 ----
"Anonymous: Authoritative, Passwd <%s> not accepted",
send_pw ? send_pw : "\'none\'");
log_error(errstr,r->server);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
/* Drop out the bottom to return DECLINED */
}
Index: mod_auth_db.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_db.c,v
retrieving revision 1.12
diff -c -r1.12 mod_auth_db.c
*** mod_auth_db.c 1997/04/24 10:16:55 1.12
--- mod_auth_db.c 1997/07/17 05:30:04
***************
*** 204,210 ****
ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw,':');
--- 204,211 ----
ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw,':');
***************
*** 215,221 ****
"user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
return OK;
}
--- 216,223 ----
"user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
return OK;
}
***************
*** 259,265 ****
user, sec->auth_dbgrpfile);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
orig_groups = groups;
while(t[0]) {
--- 261,268 ----
user, sec->auth_dbgrpfile);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
orig_groups = groups;
while(t[0]) {
***************
*** 275,281 ****
"user %s not in right group",user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure(r);
! return AUTH_REQUIRED;
}
}
--- 278,285 ----
"user %s not in right group",user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
}
Index: mod_auth_dbm.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision 1.16
diff -c -r1.16 mod_auth_dbm.c
*** mod_auth_dbm.c 1997/06/30 01:28:29 1.16
--- mod_auth_dbm.c 1997/07/17 05:30:07
***************
*** 197,203 ****
ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw,':');
--- 197,204 ----
ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw,':');
***************
*** 208,214 ****
"user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
return OK;
}
--- 209,216 ----
"user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
return OK;
}
***************
*** 252,258 ****
user, sec->auth_dbmgrpfile);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
orig_groups = groups;
while(t[0]) {
--- 254,261 ----
user, sec->auth_dbmgrpfile);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
orig_groups = groups;
while(t[0]) {
***************
*** 268,274 ****
"user %s not in right group",user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure(r);
! return AUTH_REQUIRED;
}
}
--- 271,278 ----
"user %s not in right group",user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
}
Index: mod_auth_msql.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v
retrieving revision 1.20
diff -c -r1.20 mod_auth_msql.c
*** mod_auth_msql.c 1997/03/07 14:15:38 1.20
--- mod_auth_msql.c 1997/07/17 05:30:20
***************
*** 809,815 ****
ap_snprintf(msql_errstr, MAX_STRING_LEN,
"mSQL: Password for user %s not found", c->user);
note_basic_auth_failure (r);
! res = AUTH_REQUIRED;
} else {
/* pass control on to the next authorization module.
*/
--- 809,816 ----
ap_snprintf(msql_errstr, MAX_STRING_LEN,
"mSQL: Password for user %s not found", c->user);
note_basic_auth_failure (r);
! res = (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
} else {
/* pass control on to the next authorization module.
*/
***************
*** 841,847 ****
"mSQL: user %s: Empty Password(s) Rejected",c->user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
};
if(sec->auth_msql_encrypted) {
--- 842,849 ----
"mSQL: user %s: Empty Password(s) Rejected",c->user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
};
if(sec->auth_msql_encrypted) {
***************
*** 860,866 ****
"mSQL user %s: password mismatch",c->user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure (r);
! return AUTH_REQUIRED;
}
return OK;
}
--- 862,869 ----
"mSQL user %s: password mismatch",c->user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
return OK;
}
***************
*** 894,900 ****
ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s denied, no access rules specified (MSQL-Authoritative) ",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return AUTH_REQUIRED;
};
return DECLINED;
};
--- 897,904 ----
ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s denied, no access rules specified (MSQL-Authoritative) ",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
};
return DECLINED;
};
***************
*** 907,913 ****
w = getword(r->pool, &t, ' ');
if ((user_result != OK) && (!strcmp(w,"user"))) {
! user_result=AUTH_REQUIRED;
while(t[0]) {
w = getword_conf (r->pool, &t);
if (!strcmp(user,w)) {
--- 911,918 ----
w = getword(r->pool, &t, ' ');
if ((user_result != OK) && (!strcmp(w,"user"))) {
! user_result=(r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
while(t[0]) {
w = getword_conf (r->pool, &t);
if (!strcmp(user,w)) {
***************
*** 919,925 ****
ap_snprintf(msql_errstr, MAX_STRING_LEN, "User %s not found (MSQL-Auhtorative)",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return AUTH_REQUIRED;
};
}
--- 924,931 ----
ap_snprintf(msql_errstr, MAX_STRING_LEN, "User %s not found (MSQL-Auhtorative)",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
};
}
***************
*** 930,936 ****
) {
/* look up the membership for each of the groups in the table
*/
! group_result=AUTH_REQUIRED;
while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
if (get_msql_grp(r,getword(r->pool, &t, ' '),user,sec,msql_errstr)) {
group_result= OK;
--- 936,943 ----
) {
/* look up the membership for each of the groups in the table
*/
! group_result=(r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
if (get_msql_grp(r,getword(r->pool, &t, ' '),user,sec,msql_errstr)) {
group_result= OK;
***************
*** 947,953 ****
ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s not in right groups (MSQL-Authoritative) ",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return AUTH_REQUIRED;
};
};
--- 954,961 ----
ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s not in right groups (MSQL-Authoritative) ",user);
log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
};
};
***************
*** 960,972 ****
* returns are only if msql yielded a correct result.
* This really is not needed.
*/
! if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) {
ap_snprintf(msql_errstr, MAX_STRING_LEN, "mSQL-Authoritative: Access denied on %s %s rule(s) ",
! (group_result == AUTH_REQUIRED) ? "USER" : "",
! (user_result == AUTH_REQUIRED) ? "GROUP" : ""
! );
log_reason (msql_errstr, r->uri, r);
! return AUTH_REQUIRED;
};
if ( (user_result == OK) || (group_result == OK))
--- 968,988 ----
* returns are only if msql yielded a correct result.
* This really is not needed.
*/
! if (((group_result == (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED)) ||
! (user_result == (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED))) &&
! (sec->auth_msql_authoritative)) {
ap_snprintf(msql_errstr, MAX_STRING_LEN, "mSQL-Authoritative: Access denied on %s %s rule(s) ",
! (group_result ==
! (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED)) ? "USER" : "",
! (user_result ==
! (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED)) ? "GROUP" : "");
log_reason (msql_errstr, r->uri, r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
};
if ( (user_result == OK) || (group_result == OK))
Index: mod_digest.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_digest.c,v
retrieving revision 1.14
diff -c -r1.14 mod_digest.c
*** mod_digest.c 1997/03/07 14:15:39 1.14
--- mod_digest.c 1997/07/17 05:30:25
***************
*** 142,155 ****
if (!auth_line) {
note_digest_auth_failure (r);
! return AUTH_REQUIRED;
}
if (strcmp(getword (r->pool, &auth_line, ' '), "Digest")) {
/* Client tried to authenticate using wrong auth scheme */
log_reason ("client used wrong authentication scheme", r->uri, r);
note_digest_auth_failure (r);
! return AUTH_REQUIRED;
}
l = strlen(auth_line);
--- 142,155 ----
if (!auth_line) {
note_digest_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED : AUTH_REQUIRED);
}
if (strcmp(getword (r->pool, &auth_line, ' '), "Digest")) {
/* Client tried to authenticate using wrong auth scheme */
log_reason ("client used wrong authentication scheme", r->uri, r);
note_digest_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED : AUTH_REQUIRED);
}
l = strlen(auth_line);
***************
*** 226,232 ****
if (!response->username || !response->realm || !response->nonce ||
!response->requested_uri || !response->digest) {
note_digest_auth_failure (r);
! return AUTH_REQUIRED;
}
r->connection->user = response->username;
--- 226,232 ----
if (!response->username || !response->realm || !response->nonce ||
!response->requested_uri || !response->digest) {
note_digest_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED : AUTH_REQUIRED);
}
r->connection->user = response->username;
***************
*** 280,293 ****
ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_digest_auth_failure (r);
! return AUTH_REQUIRED;
}
/* anyone know where the prototype for crypt is? */
if(strcmp(response->digest, find_digest(r, response, a1))) {
ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_digest_auth_failure (r);
! return AUTH_REQUIRED;
}
return OK;
}
--- 280,295 ----
ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_digest_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
/* anyone know where the prototype for crypt is? */
if(strcmp(response->digest, find_digest(r, response, a1))) {
ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_digest_auth_failure (r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
! AUTH_REQUIRED);
}
return OK;
}
***************
*** 340,346 ****
return OK;
note_digest_auth_failure(r);
! return AUTH_REQUIRED;
}
module digest_module = {
--- 342,348 ----
return OK;
note_digest_auth_failure(r);
! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED : AUTH_REQUIRED);
}
module digest_module = {
Index: modules/proxy/proxy_http.c
===================================================================
RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_http.c,v
retrieving revision 1.20
diff -c -r1.20 proxy_http.c
*** proxy_http.c 1997/07/12 20:33:04 1.20
--- proxy_http.c 1997/07/17 05:30:28
***************
*** 260,266 ****
for (i=0; i < reqhdrs_arr->nelts; i++)
{
if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
! || !strcasecmp(reqhdrs[i].key, "Host")) /* already sent if there */
continue;
bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
}
--- 260,268 ----
for (i=0; i < reqhdrs_arr->nelts; i++)
{
if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
! /* Clear out headers not to send */
! || !strcasecmp(reqhdrs[i].key, "Host") /* Already sent */
! || !strcasecmp(reqhdrs[i].key, "Proxy-Authorization"))
continue;
bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
}
--
Sameer Parekh Voice: 510-986-8770
President FAX: 510-986-8777
C2Net
http://www.c2.net/ sameer@c2.net
Re: proxy auth
Posted by Dean Gaudet <dg...@arctic.org>.
On Wed, 16 Jul 1997, sameer wrote:
> ===================================================================
> RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_http.c,v
> retrieving revision 1.20
> diff -c -r1.20 proxy_http.c
> *** proxy_http.c 1997/07/12 20:33:04 1.20
> --- proxy_http.c 1997/07/17 05:30:28
> ***************
> *** 260,266 ****
> for (i=0; i < reqhdrs_arr->nelts; i++)
> {
> if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
> ! || !strcasecmp(reqhdrs[i].key, "Host")) /* already sent if there */
> continue;
> bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
> }
> --- 260,268 ----
> for (i=0; i < reqhdrs_arr->nelts; i++)
> {
> if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
> ! /* Clear out headers not to send */
> ! || !strcasecmp(reqhdrs[i].key, "Host") /* Already sent */
> ! || !strcasecmp(reqhdrs[i].key, "Proxy-Authorization"))
> continue;
> bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
> }
S14.34 in RFC2068 says ... "When multiple proxies are used in a
chain, the Proxy-Authorization header field is consumed by the first
outbound proxy that was expecting to receive credentials. A proxy MAY
relay the credentials from the client request to the next proxy if
that is the mechanism by which the proxies cooperatively authenticate
a given request."
You strip it categorically here. Which is the safest thing to do I
suppose. There should probably be a PassProxyAuthorization option, but
not something worth holding this on.
Other than that it looks fine according to rfc2068. (1945 does not
specify proxy auth.)
I don't know what to do about all the ?: things. I'd like it if we could
just continue to use AUTH_REQUIRED and do the change to
HTTP_PROXY_AUTHENTICATION_REQUIRED when generating the response. I wonder
if it breaks anything. I don't think the auth modules should care if
they're authenticating a proxy request or a regular request.
Dean
Re: proxy auth
Posted by Brian Behlendorf <br...@organic.com>.
Are there any other browsers or UA's which claim to implement proxy auth?
If another one passes muster, or an HTTP cop can look at the patch, I
certain +1 the concept.
Brian
At 10:35 PM 7/16/97 -0700, sameer wrote:
> I had no comments on my proxy auth thing so I wrote up the
>patch. Included here. This enables 407 responses if r->proxyreq is
>set, and squishes the Proxy-Authorization header so it doesn't get
>passed on to the reomte server.
>
> I've tested this with NS 3.01, and it worked.
>
>
>Index: CHANGES
>===================================================================
>RCS file: /export/home/cvs/apache/src/CHANGES,v
>retrieving revision 1.339
>diff -c -r1.339 CHANGES
>*** CHANGES 1997/07/16 23:14:22 1.339
>--- CHANGES 1997/07/17 05:29:21
>***************
>*** 1,5 ****
>--- 1,8 ----
> Changes with Apache 1.3
>
>+ *) Support Proxy Authentication, and don't pass the Proxy-Authorize
>+ header to the remote host in the proxy. [Sameer Parekh]
>+
> *) Extended SSI (mod_include) now handles additional relops for
> string comparisons (<, >, <=, and >=). [Bruno Wolff III] PR#41
>
>Index: http_protocol.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/http_protocol.c,v
>retrieving revision 1.139
>diff -c -r1.139 http_protocol.c
>*** http_protocol.c 1997/07/15 22:36:51 1.139
>--- http_protocol.c 1997/07/17 05:29:47
>***************
>*** 896,902 ****
> if (strcasecmp(auth_type(r), "Basic"))
> note_auth_failure(r);
> else
>! table_set (r->err_headers_out, "WWW-Authenticate",
> pstrcat(r->pool, "Basic realm=\"", auth_name(r), "\"", NULL));
> }
>
>--- 896,903 ----
> if (strcasecmp(auth_type(r), "Basic"))
> note_auth_failure(r);
> else
>! table_set (r->err_headers_out, r->proxyreq ? "Proxy-Authenticate" :
>! "WWW-Authenticate",
> pstrcat(r->pool, "Basic realm=\"", auth_name(r), "\"", NULL));
> }
>
>***************
>*** 905,918 ****
> char nonce[256];
>
> ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time);
>! table_set (r->err_headers_out, "WWW-Authenticate",
> pstrcat(r->pool, "Digest realm=\"", auth_name(r),
> "\", nonce=\"", nonce, "\"", NULL));
> }
>
> API_EXPORT(int) get_basic_auth_pw (request_rec *r, char **pw)
> {
>! const char *auth_line = table_get (r->headers_in, "Authorization");
> char *t;
>
> if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
>--- 906,922 ----
> char nonce[256];
>
> ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time);
>! table_set (r->err_headers_out, r->proxyreq ? "Proxy-Authenticate" :
>! "WWW-Authenticate",
> pstrcat(r->pool, "Digest realm=\"", auth_name(r),
> "\", nonce=\"", nonce, "\"", NULL));
> }
>
> API_EXPORT(int) get_basic_auth_pw (request_rec *r, char **pw)
> {
>! const char *auth_line = table_get (r->headers_in, r->proxyreq ?
>! "Proxy-Authorization" :
>! "Authorization");
> char *t;
>
> if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
>***************
>*** 925,938 ****
>
> if(!auth_line) {
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> if (strcmp(getword (r->pool, &auth_line, ' '), "Basic")) {
> /* Client tried to authenticate using wrong auth scheme */
> log_reason ("client used wrong authentication scheme", r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> t = uudecode (r->pool, auth_line);
>--- 929,944 ----
>
> if(!auth_line) {
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
>
> if (strcmp(getword (r->pool, &auth_line, ' '), "Basic")) {
> /* Client tried to authenticate using wrong auth scheme */
> log_reason ("client used wrong authentication scheme", r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
>
> t = uudecode (r->pool, auth_line);
>***************
>*** 1692,1697 ****
>--- 1698,1704 ----
> "Vary",
> "Warning",
> "WWW-Authenticate",
>+ "Proxy-Authenticate",
> NULL);
>
> terminate_header(r->connection->client);
>***************
>*** 1797,1802 ****
>--- 1804,1810 ----
> escape_html(r->pool, location), "<BR>\nYou will need to ",
> "configure your client to use that proxy.<P>\n", NULL);
> break;
>+ case HTTP_PROXY_AUTHENTICATION_REQUIRED:
> case AUTH_REQUIRED:
> bputs("This server could not verify that you\n", fd);
> bputs("are authorized to access the document you\n", fd);
>Index: mod_auth.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_auth.c,v
>retrieving revision 1.18
>diff -c -r1.18 mod_auth.c
>*** mod_auth.c 1997/07/15 22:36:51 1.18
>--- mod_auth.c 1997/07/17 05:29:52
>***************
>*** 203,216 ****
> ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> /* anyone know where the prototype for crypt is? */
> if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
> ap_snprintf(errstr, sizeof(errstr), "user %s: password
mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> return OK;
> }
>--- 203,218 ----
> ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> /* anyone know where the prototype for crypt is? */
> if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
> ap_snprintf(errstr, sizeof(errstr), "user %s: password
mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> return OK;
> }
>***************
>*** 277,283 ****
> return DECLINED;
>
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> module MODULE_VAR_EXPORT auth_module = {
>--- 279,285 ----
> return DECLINED;
>
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
AUTH_REQUIRED);
> }
>
> module MODULE_VAR_EXPORT auth_module = {
>Index: mod_auth_anon.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_auth_anon.c,v
>retrieving revision 1.16
>diff -c -r1.16 mod_auth_anon.c
>*** mod_auth_anon.c 1997/06/17 00:09:13 1.16
>--- mod_auth_anon.c 1997/07/17 05:29:55
>***************
>*** 251,257 ****
> "Anonymous: Authoritative, Passwd <%s> not accepted",
> send_pw ? send_pw : "\'none\'");
> log_error(errstr,r->server);
>! return AUTH_REQUIRED;
> }
> /* Drop out the bottom to return DECLINED */
> }
>--- 251,258 ----
> "Anonymous: Authoritative, Passwd <%s> not accepted",
> send_pw ? send_pw : "\'none\'");
> log_error(errstr,r->server);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> /* Drop out the bottom to return DECLINED */
> }
>Index: mod_auth_db.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_auth_db.c,v
>retrieving revision 1.12
>diff -c -r1.12 mod_auth_db.c
>*** mod_auth_db.c 1997/04/24 10:16:55 1.12
>--- mod_auth_db.c 1997/07/17 05:30:04
>***************
>*** 204,210 ****
> ap_snprintf(errstr, sizeof(errstr), "DB user %s not found",
c->user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> /* Password is up to first : if exists */
> colon_pw = strchr(real_pw,':');
>--- 204,211 ----
> ap_snprintf(errstr, sizeof(errstr), "DB user %s not found",
c->user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> /* Password is up to first : if exists */
> colon_pw = strchr(real_pw,':');
>***************
>*** 215,221 ****
> "user %s: password mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> return OK;
> }
>--- 216,223 ----
> "user %s: password mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> return OK;
> }
>***************
>*** 259,265 ****
> user, sec->auth_dbgrpfile);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> orig_groups = groups;
> while(t[0]) {
>--- 261,268 ----
> user, sec->auth_dbgrpfile);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> orig_groups = groups;
> while(t[0]) {
>***************
>*** 275,281 ****
> "user %s not in right group",user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure(r);
>! return AUTH_REQUIRED;
> }
> }
>
>--- 278,285 ----
> "user %s not in right group",user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> }
>
>Index: mod_auth_dbm.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_auth_dbm.c,v
>retrieving revision 1.16
>diff -c -r1.16 mod_auth_dbm.c
>*** mod_auth_dbm.c 1997/06/30 01:28:29 1.16
>--- mod_auth_dbm.c 1997/07/17 05:30:07
>***************
>*** 197,203 ****
> ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found",
c->user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> /* Password is up to first : if exists */
> colon_pw = strchr(real_pw,':');
>--- 197,204 ----
> ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found",
c->user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> /* Password is up to first : if exists */
> colon_pw = strchr(real_pw,':');
>***************
>*** 208,214 ****
> "user %s: password mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> return OK;
> }
>--- 209,216 ----
> "user %s: password mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> return OK;
> }
>***************
>*** 252,258 ****
> user, sec->auth_dbmgrpfile);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> orig_groups = groups;
> while(t[0]) {
>--- 254,261 ----
> user, sec->auth_dbmgrpfile);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> orig_groups = groups;
> while(t[0]) {
>***************
>*** 268,274 ****
> "user %s not in right group",user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure(r);
>! return AUTH_REQUIRED;
> }
> }
>
>--- 271,278 ----
> "user %s not in right group",user);
> log_reason (errstr, r->filename, r);
> note_basic_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> }
>
>Index: mod_auth_msql.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v
>retrieving revision 1.20
>diff -c -r1.20 mod_auth_msql.c
>*** mod_auth_msql.c 1997/03/07 14:15:38 1.20
>--- mod_auth_msql.c 1997/07/17 05:30:20
>***************
>*** 809,815 ****
> ap_snprintf(msql_errstr, MAX_STRING_LEN,
> "mSQL: Password for user %s not found", c->user);
> note_basic_auth_failure (r);
>! res = AUTH_REQUIRED;
> } else {
> /* pass control on to the next authorization module.
> */
>--- 809,816 ----
> ap_snprintf(msql_errstr, MAX_STRING_LEN,
> "mSQL: Password for user %s not found", c->user);
> note_basic_auth_failure (r);
>! res = (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> } else {
> /* pass control on to the next authorization module.
> */
>***************
>*** 841,847 ****
> "mSQL: user %s: Empty Password(s) Rejected",c->user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> };
>
> if(sec->auth_msql_encrypted) {
>--- 842,849 ----
> "mSQL: user %s: Empty Password(s) Rejected",c->user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> };
>
> if(sec->auth_msql_encrypted) {
>***************
>*** 860,866 ****
> "mSQL user %s: password mismatch",c->user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> return OK;
> }
>--- 862,869 ----
> "mSQL user %s: password mismatch",c->user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> return OK;
> }
>***************
>*** 894,900 ****
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s denied, no
access rules specified (MSQL-Authoritative) ",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return AUTH_REQUIRED;
> };
> return DECLINED;
> };
>--- 897,904 ----
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s denied, no
access rules specified (MSQL-Authoritative) ",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> };
> return DECLINED;
> };
>***************
>*** 907,913 ****
> w = getword(r->pool, &t, ' ');
>
> if ((user_result != OK) && (!strcmp(w,"user"))) {
>! user_result=AUTH_REQUIRED;
> while(t[0]) {
> w = getword_conf (r->pool, &t);
> if (!strcmp(user,w)) {
>--- 911,918 ----
> w = getword(r->pool, &t, ' ');
>
> if ((user_result != OK) && (!strcmp(w,"user"))) {
>! user_result=(r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> while(t[0]) {
> w = getword_conf (r->pool, &t);
> if (!strcmp(user,w)) {
>***************
>*** 919,925 ****
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "User %s not found
(MSQL-Auhtorative)",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return AUTH_REQUIRED;
> };
> }
>
>--- 924,931 ----
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "User %s not found
(MSQL-Auhtorative)",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> };
> }
>
>***************
>*** 930,936 ****
> ) {
> /* look up the membership for each of the groups in the table
> */
>! group_result=AUTH_REQUIRED;
> while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
> if (get_msql_grp(r,getword(r->pool, &t, '
'),user,sec,msql_errstr)) {
> group_result= OK;
>--- 936,943 ----
> ) {
> /* look up the membership for each of the groups in the table
> */
>! group_result=(r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
> if (get_msql_grp(r,getword(r->pool, &t, '
'),user,sec,msql_errstr)) {
> group_result= OK;
>***************
>*** 947,953 ****
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s not in
right groups (MSQL-Authoritative) ",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return AUTH_REQUIRED;
> };
> };
>
>--- 954,961 ----
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "user %s not in
right groups (MSQL-Authoritative) ",user);
> log_reason (msql_errstr, r->uri, r);
> note_basic_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> };
> };
>
>***************
>*** 960,972 ****
> * returns are only if msql yielded a correct result.
> * This really is not needed.
> */
>! if (((group_result == AUTH_REQUIRED) || (user_result ==
AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) {
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "mSQL-Authoritative:
Access denied on %s %s rule(s) ",
>! (group_result == AUTH_REQUIRED) ? "USER" : "",
>! (user_result == AUTH_REQUIRED) ? "GROUP" : ""
>! );
> log_reason (msql_errstr, r->uri, r);
>! return AUTH_REQUIRED;
> };
>
> if ( (user_result == OK) || (group_result == OK))
>--- 968,988 ----
> * returns are only if msql yielded a correct result.
> * This really is not needed.
> */
>! if (((group_result == (r->proxyreq ?
HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED)) ||
>! (user_result == (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED))) &&
>! (sec->auth_msql_authoritative)) {
> ap_snprintf(msql_errstr, MAX_STRING_LEN, "mSQL-Authoritative:
Access denied on %s %s rule(s) ",
>! (group_result ==
>! (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED)) ? "USER" : "",
>! (user_result ==
>! (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED)) ? "GROUP" : "");
> log_reason (msql_errstr, r->uri, r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> };
>
> if ( (user_result == OK) || (group_result == OK))
>Index: mod_digest.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/mod_digest.c,v
>retrieving revision 1.14
>diff -c -r1.14 mod_digest.c
>*** mod_digest.c 1997/03/07 14:15:39 1.14
>--- mod_digest.c 1997/07/17 05:30:25
>***************
>*** 142,155 ****
>
> if (!auth_line) {
> note_digest_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> if (strcmp(getword (r->pool, &auth_line, ' '), "Digest")) {
> /* Client tried to authenticate using wrong auth scheme */
> log_reason ("client used wrong authentication scheme", r->uri, r);
> note_digest_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> l = strlen(auth_line);
>--- 142,155 ----
>
> if (!auth_line) {
> note_digest_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
AUTH_REQUIRED);
> }
>
> if (strcmp(getword (r->pool, &auth_line, ' '), "Digest")) {
> /* Client tried to authenticate using wrong auth scheme */
> log_reason ("client used wrong authentication scheme", r->uri, r);
> note_digest_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
AUTH_REQUIRED);
> }
>
> l = strlen(auth_line);
>***************
>*** 226,232 ****
> if (!response->username || !response->realm || !response->nonce ||
> !response->requested_uri || !response->digest) {
> note_digest_auth_failure (r);
>! return AUTH_REQUIRED;
> }
>
> r->connection->user = response->username;
>--- 226,232 ----
> if (!response->username || !response->realm || !response->nonce ||
> !response->requested_uri || !response->digest) {
> note_digest_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
AUTH_REQUIRED);
> }
>
> r->connection->user = response->username;
>***************
>*** 280,293 ****
> ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
> log_reason (errstr, r->uri, r);
> note_digest_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> /* anyone know where the prototype for crypt is? */
> if(strcmp(response->digest, find_digest(r, response, a1))) {
> ap_snprintf(errstr, sizeof(errstr), "user %s: password
mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_digest_auth_failure (r);
>! return AUTH_REQUIRED;
> }
> return OK;
> }
>--- 280,295 ----
> ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
> log_reason (errstr, r->uri, r);
> note_digest_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> /* anyone know where the prototype for crypt is? */
> if(strcmp(response->digest, find_digest(r, response, a1))) {
> ap_snprintf(errstr, sizeof(errstr), "user %s: password
mismatch",c->user);
> log_reason (errstr, r->uri, r);
> note_digest_auth_failure (r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
>! AUTH_REQUIRED);
> }
> return OK;
> }
>***************
>*** 340,346 ****
> return OK;
>
> note_digest_auth_failure(r);
>! return AUTH_REQUIRED;
> }
>
> module digest_module = {
>--- 342,348 ----
> return OK;
>
> note_digest_auth_failure(r);
>! return (r->proxyreq ? HTTP_PROXY_AUTHENTICATION_REQUIRED :
AUTH_REQUIRED);
> }
>
> module digest_module = {
>Index: modules/proxy/proxy_http.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_http.c,v
>retrieving revision 1.20
>diff -c -r1.20 proxy_http.c
>*** proxy_http.c 1997/07/12 20:33:04 1.20
>--- proxy_http.c 1997/07/17 05:30:28
>***************
>*** 260,266 ****
> for (i=0; i < reqhdrs_arr->nelts; i++)
> {
> if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
>! || !strcasecmp(reqhdrs[i].key, "Host")) /* already sent if there */
> continue;
> bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
> }
>--- 260,268 ----
> for (i=0; i < reqhdrs_arr->nelts; i++)
> {
> if (reqhdrs[i].key == NULL || reqhdrs[i].val == NULL
>! /* Clear out headers not to send */
>! || !strcasecmp(reqhdrs[i].key, "Host") /* Already sent */
>! || !strcasecmp(reqhdrs[i].key, "Proxy-Authorization"))
> continue;
> bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, "\015\012", NULL);
> }
>
>
>--
>Sameer Parekh Voice: 510-986-8770
>President FAX: 510-986-8777
>C2Net
>http://www.c2.net/ sameer@c2.net
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL brian@organic.com - hyperreal.org - apache.org
Re: proxy auth
Posted by Dean Gaudet <dg...@arctic.org>.
I'm curious if it would be better for check_user_id() itself to test
r->proxyreq and change AUTH_REQUIRED responses to
HTTP_PROXY_AUTHENTICATION_REQUIRED responses. That way it works fine with
third party auth modules as well. Or we can just ignore that for now
'cause we should be revamping auth for 2.0 such that there won't be
anywhere near as much duplicated code.
Other than that I just want to peruse the rfcs to make sure this does the
right thing.
Dean
On Wed, 16 Jul 1997, sameer wrote:
> I had no comments on my proxy auth thing so I wrote up the
> patch. Included here. This enables 407 responses if r->proxyreq is
> set, and squishes the Proxy-Authorization header so it doesn't get
> passed on to the reomte server.
>
> I've tested this with NS 3.01, and it worked.