httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hendrik Harms <>
Subject Proxy-Authorization needed for ProxyRemote
Date Tue, 01 Nov 2005 15:39:00 GMT

/* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be
 * suppressed if THIS server requested the authentication,
 * not when a frontend proxy requested it!
 * The solution to this problem is probably to strip out
 * the Proxy-Authorisation header in the authorisation
 * code itself, not here. This saves us having to signal
 * somehow whether this request was authenticated or not.
 || !strcasecmp(headers_in[counter].key,"Proxy-Authorization")
 || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) {

I think this code denies any connection to a Forward-Proxy with
Proxy-Authorization even if I try to fake the Proxy-Authorization
Header with mod_headers (RequestHeader).

I know that the Proxy-Authorization Header is a Hop-to-Hop Header
that should be filtered. But the apache is neither able to send a
407 Response nor able to verify the Proxy-Authorization Header.
So I think it would be the best to pass through the Proxy-Authorization

If this is not possible, it would be nice to have something like
  ProxyRemote *


Hendrik Harms

View raw message