You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Dirk-Willem van Gulik (kim)" <di...@webweaving.org> on 1999/05/03 17:44:40 UTC
Re: [PATCH] Re: Help with reverse proxy and authentication
Graham Leggett wrote:
> I decided to investigate where Apache decided that the request was to be
> handled by the proxy, and change this from a simple noproxy / proxy
> arrangement to three states - NONE, PROXY and REVERSE with the values 0,
> 1 and 2 respectively. Most of the code tests proxyreq for non zero
> status, only the authenticate code cares whether it's REVERSE or PROXY.
>
> The patches are attached.
>
> Can you tell me if my solution is too simplistic? I have tested it, and
> it seems to work, but a second opinion would be great.
I have to try this a lot better; and check for the chained case of having
more than one proxy in a row. But the principle is most certainly sound
and certainly the way to go. And I like how general this is; as you could
also use it in the future for things like the FTP proxying.
My compliments. Just submit it I'd say !
Dw.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2a3,5
> > *) Fixed proxy/www authentication mixup when authenticating reverse proxied
> > URLs. [Graham Leggett <mi...@sharp.fm>]
> >
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/include/httpd-old.h Thu Apr 29 15:31:08 1999
> --- src/include/httpd.h Thu Apr 29 15:04:59 1999
> ***************
> *** 653,659 ****
> char *the_request; /* First line of request, so we can log it */
> int assbackwards; /* HTTP/0.9, "simple" request */
> int proxyreq; /* A proxy request (calculated during
> ! * post_read_request or translate_name) */
> int header_only; /* HEAD request, as opposed to GET */
> char *protocol; /* Protocol, as given to us, or HTTP/0.9 */
> int proto_num; /* Number version of protocol; 1.1 = 1001 */
> --- 653,661 ----
> char *the_request; /* First line of request, so we can log it */
> int assbackwards; /* HTTP/0.9, "simple" request */
> int proxyreq; /* A proxy request (calculated during
> ! * post_read_request or translate_name)
> ! * possible values PROXYREQ_NONE,
> ! * PROXYREQ_PROXY, PROXYREQ_REVERSE */
> int header_only; /* HEAD request, as opposed to GET */
> char *protocol; /* Protocol, as given to us, or HTTP/0.9 */
> int proto_num; /* Number version of protocol; 1.1 = 1001 */
> ***************
> *** 780,786 ****
> --- 782,797 ----
> */
> };
>
> + /* Possible values of request_rec->proxyreq. A request could be normal,
> + * proxied or reverse proxied. Normally proxied and reverse proxied are
> + * grouped together as just "proxied", but sometimes it's necessary to
> + * tell the difference between the two, such as for authentication.
> + */
>
> + #define PROXYREQ_NONE 0
> + #define PROXYREQ_PROXY 1
> + #define PROXYREQ_REVERSE 2
> +
> /* Things which are per connection
> */
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/standard/mod_digest-old.c Thu Apr 29 15:29:16 1999
> --- src/modules/standard/mod_digest.c Thu Apr 29 15:19:23 1999
> ***************
> *** 137,143 ****
> static int get_digest_rec(request_rec *r, digest_header_rec * response)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! r->proxyreq ? "Proxy-Authorization"
> : "Authorization");
> int l;
> int s, vk = 0, vv = 0;
> --- 137,143 ----
> static int get_digest_rec(request_rec *r, digest_header_rec * response)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization"
> : "Authorization");
> int l;
> int s, vk = 0, vv = 0;
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/standard/mod_rewrite-old.c Thu Apr 29 15:29:44 1999
> --- src/modules/standard/mod_rewrite.c Thu Apr 29 15:22:29 1999
> ***************
> *** 1125,1131 ****
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = 1;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
> --- 1125,1131 ----
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = PROXYREQ_REVERSE;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
> ***************
> *** 1385,1391 ****
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = 1;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
> --- 1385,1391 ----
> }
>
> /* now make sure the request gets handled by the proxy handler */
> ! r->proxyreq = PROXYREQ_REVERSE;
> r->handler = "proxy-server";
>
> rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/proxy/mod_proxy-old.c Thu Apr 29 15:28:12 1999
> --- src/modules/proxy/mod_proxy.c Thu Apr 29 15:25:04 1999
> ***************
> *** 153,159 ****
> && !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
> && ap_matches_request_vhost(r, r->parsed_uri.hostname,
> r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
> ! r->proxyreq = 1;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> --- 153,159 ----
> && !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
> && ap_matches_request_vhost(r, r->parsed_uri.hostname,
> r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
> ! r->proxyreq = PROXYREQ_PROXY;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> ***************
> *** 163,169 ****
> else if (conf->req && r->method_number == M_CONNECT
> && r->parsed_uri.hostname
> && r->parsed_uri.port_str) {
> ! r->proxyreq = 1;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> --- 163,169 ----
> else if (conf->req && r->method_number == M_CONNECT
> && r->parsed_uri.hostname
> && r->parsed_uri.port_str) {
> ! r->proxyreq = PROXYREQ_PROXY;
> r->uri = r->unparsed_uri;
> r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
> r->handler = "proxy-server";
> ***************
> *** 198,204 ****
> r->filename = ap_pstrcat(r->pool, "proxy:", ent[i].real,
> r->uri + len, NULL);
> r->handler = "proxy-server";
> ! r->proxyreq = 1;
> return OK;
> }
> }
> --- 198,204 ----
> r->filename = ap_pstrcat(r->pool, "proxy:", ent[i].real,
> r->uri + len, NULL);
> r->handler = "proxy-server";
> ! r->proxyreq = PROXYREQ_REVERSE;
> return OK;
> }
> }
> ***************
> *** 304,310 ****
> int maxfwd = strtol(maxfwd_str, NULL, 10);
> if (maxfwd < 1) {
> int access_status;
> ! r->proxyreq = 0;
> if ((access_status = ap_send_http_trace(r)))
> ap_die(access_status, r);
> else
> --- 304,310 ----
> int maxfwd = strtol(maxfwd_str, NULL, 10);
> if (maxfwd < 1) {
> int access_status;
> ! r->proxyreq = PROXYREQ_NONE;
> if ((access_status = ap_send_http_trace(r)))
> ap_die(access_status, r);
> else
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/main/http_protocol-old.c Thu Apr 29 15:27:46 1999
> --- src/main/http_protocol.c Thu Apr 29 15:19:49 1999
> ***************
> *** 1109,1115 ****
> ap_note_auth_failure(r);
> else
> ap_table_setn(r->err_headers_out,
> ! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
> NULL));
> }
> --- 1109,1115 ----
> ap_note_auth_failure(r);
> else
> ap_table_setn(r->err_headers_out,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
> NULL));
> }
> ***************
> *** 1117,1123 ****
> API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
> {
> ap_table_setn(r->err_headers_out,
> ! r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
> ap_auth_name(r), r->request_time));
> }
> --- 1117,1123 ----
> API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
> {
> ap_table_setn(r->err_headers_out,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate",
> ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
> ap_auth_name(r), r->request_time));
> }
> ***************
> *** 1125,1131 ****
> API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! r->proxyreq ? "Proxy-Authorization"
> : "Authorization");
> const char *t;
>
> --- 1125,1131 ----
> API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
> {
> const char *auth_line = ap_table_get(r->headers_in,
> ! (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization"
> : "Authorization");
> const char *t;
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/modules/proxy/proxy_ftp-old.c Thu Apr 29 15:28:26 1999
> --- src/modules/proxy/proxy_ftp.c Thu Apr 29 15:25:40 1999
> ***************
> *** 419,425 ****
> */
> static int ftp_unauthorized (request_rec *r, int log_it)
> {
> ! r->proxyreq = 0;
> /* Log failed requests if they supplied a password
> * (log username/password guessing attempts)
> */
> --- 419,425 ----
> */
> static int ftp_unauthorized (request_rec *r, int log_it)
> {
> ! r->proxyreq = PROXYREQ_NONE;
> /* Log failed requests if they supplied a password
> * (log username/password guessing attempts)
> */
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *** src/main/http_request-old.c Thu Apr 29 15:27:59 1999
> --- src/main/http_request.c Thu Apr 29 15:18:03 1999
> ***************
> *** 981,987 ****
> * about proxy authentication. They treat it like normal auth, and then
> * we tweak the status.
> */
> ! if (r->status == AUTH_REQUIRED && r->proxyreq) {
> r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> }
>
> --- 981,987 ----
> * about proxy authentication. They treat it like normal auth, and then
> * we tweak the status.
> */
> ! if (r->status == AUTH_REQUIRED && r->proxyreq == PROXYREQ_PROXY) {
> r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> }
>