You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jon Snow <js...@gatesec.net> on 2005/07/29 00:55:30 UTC
proxy_ftp base href breaks authorization
Hi,
I run a forward proxy using mod_ftp_proxy through a forward proxy heirarchy.
The proxy in question is the last in the chain and communicates with the
Internet. Mod_proxy_ftp will successfully return a directory listing after
authentication to an FTP site using a user:password combination in the URL.
The listing html code includes a BASE HREF tag in the HEAD section returned
in the response to the client. This BASE HREF contains the form ftp://
user@example.com. This overrides the browser base retrieving URL and as there
is no password included there is a further requirement for an alternate
method of authentication otherwise the client will need to authenticate for
every link that is selected. On most browsers I have tested (mozilla,
firefox, konqueror) this will be done with the Authorization: header and will
work through the proxy but unfortunately not on my client's IE 6.0 build.
There is no Authorization header supplied on the initial or subsequent
requests and so every time a link in the FTP listing is selected the
authentication process is repeated.
I am assuming at this stage this problem is particular to my client's IE build
but I am questioning the use of the BASE HREF. I would have thought if a BASE
HREF is returned it would be of the form ftp://user:password@example.com but
as the browser already knows this as it's base URL there would be no
requirement for the BASE HREF in the returned html anyway. The current BASE
HREF without the password is breaking the links when the Authorization header
is not being used, but whether the header is used or not the BASE HREF URL
provides no additional information to the browser.
I have removed the BASE part in the proxy module code and this gets around the
problem as the browser sends the user:password in the URL. This then
simulates squid behaviour.
Does anyone have any idea why/whether the BASE HREF is required in the
proxy_ftp html code returned to the client?
Thanks,
Jon