Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A4859F326 for ; Wed, 27 Mar 2013 12:23:59 +0000 (UTC) Received: (qmail 78322 invoked by uid 500); 27 Mar 2013 12:23:56 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 78229 invoked by uid 500); 27 Mar 2013 12:23:56 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 78203 invoked by uid 99); 27 Mar 2013 12:23:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Mar 2013 12:23:55 +0000 X-ASF-Spam-Status: No, hits=1.7 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of nicolas.daniels63@gmail.com designates 209.85.212.177 as permitted sender) Received: from [209.85.212.177] (HELO mail-wi0-f177.google.com) (209.85.212.177) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Mar 2013 12:23:50 +0000 Received: by mail-wi0-f177.google.com with SMTP id hm14so2145765wib.4 for ; Wed, 27 Mar 2013 05:23:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=e647A9c/+GcvxSCKkV+BcvDWJJ8Daz5Oko1Px0Z6H4E=; b=Z7XL5LF5SFRCuCj/6wUeT+yLTrov/3u140Mx1sBpnJsnx5guSikE0U5H5iF5ABsigi 4kMbbs6TxuhLWl76VzCLkp+4msDkwV28wM3ov+9gxKQ/AcxgN8/x1bTiOW8dhqcBd0oT 8zl76nVia7Rup3skHjcP6945enXXXsHlnt8UXWPQs7QCHfiuGZiIlv5QuPmaQeHC0BJc Rv6HVWXIZuxlLVBnQzHeaIXjoml2e0bBNc8LWV++nkW/vf2qOQZj8E1ASrnBv1LKBuFD MWjFduZO3GCNuZjB0D4+XOUl5a4KP0/9S3DOgCPKQmWA+SbX7EHrbkCxXN6JRebrvB1M D/Kw== X-Received: by 10.194.170.165 with SMTP id an5mr31090478wjc.41.1364387009800; Wed, 27 Mar 2013 05:23:29 -0700 (PDT) Received: from [10.3.34.100] (ip-188-118-42-161.reverse.destiny.be. [188.118.42.161]) by mx.google.com with ESMTPS id g4sm9320881wib.11.2013.03.27.05.23.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 27 Mar 2013 05:23:28 -0700 (PDT) Sender: Nicolas Daniels Message-ID: <5152E4B4.50707@swing.be> Date: Wed, 27 Mar 2013 13:23:16 +0100 From: Nicolas Daniels User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: users@httpd.apache.org CC: Nick Kew References: <5152DA7F.2090601@bluepimento.eu> In-Reply-To: Content-Type: multipart/alternative; boundary="------------040805050706070208030808" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Mod_proxy: Authentication-Info header lost in response --------------040805050706070208030808 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Ok, I was probably not clear enough ;-) First I'm using mod_proxy_http and DIGEST authentication. Authentication-Info header is part of digest authentication: http://rfc-ref.org/RFC-TEXTS/2069/chapter2.html Lets say I've 2 accessed URLs: http://mydomain.com/index.html http://mydomain.com/tomcat/index.html Both are using digest authentication on apache. Proxy is configured as follow: ProxyPass /tomcat http://mytomcat.com/bla ProxyPassReverse /tomcathttp://mytomcat.com/bla So http://mydomain.com/index.html is replied directly by apache and http://mydomain.com/tomcat/index.html is proxied to tomcat. 1st case: Authentication-Info replied > GET /index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 401 Unauthorized < Date: Wed, 27 Mar 2013 11:24:18 GMT < Server: Apache/2.4.4 (Unix) < WWW-Authenticate: Digest realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", algorithm=MD5, qop="auth" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 > GET /index.html HTTP/1.1 > Authorization: Digest username="username", realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", uri="/index.html", cnonce ="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=00000001, qop=auth, response="bbfa7dqsdqs2c014d85sqdzaab1", algorithm="MD5" > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 200 OK < Date: Wed, 27 Mar 2013 11:24:18 GMT < Server: Apache/2.4.4 (Unix) *< Authentication-Info: rspauth="efbdcdsqdsqhiaaazqds4eee3c1", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=00000001, qop=auth* < Last-Modified: Tue, 19 Feb 2013 08:24:06 GMT < ETag: "22-4d60f909e7580" < Accept-Ranges: bytes < Content-Length: 34 < Content-Type: text/plain .... 2nd case: Authentication-Info *not* replied > GET /tomcat/index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 401 Unauthorized < Date: Wed, 27 Mar 2013 12:15:25 GMT < Server: Apache/2.4.4 (Unix) < WWW-Authenticate: Digest realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", algorithm=MD5, qop="auth" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 > GET /tomcat/index.html HTTP/1.1 > Authorization: Digest username="username", realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", uri="/tomcat/index.html", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA0NDk5NzM=", nc=00000001, qop=auth, response="cf10890c9dsqdsqef3bd248dsqdsqec34", algorithm="MD5" > User-Agent: curl/7.29.0 > Host: mydomain.com > Accept: */* < HTTP/1.1 200 OK < Date: Wed, 27 Mar 2013 12:15:27 GMT < Server: Apache-Coyote/1.1 < Content-Type: application/json < Content-Length: 142 ..... So my question is, is there any way to have Apache reply this Authentication-Info in both case ? I guess the reverse proxy should add is somehow... Thanks ! On 27/03/2013 13:00, Nick Kew wrote: > On 27 Mar 2013, at 11:39, Nicolas Daniels wrote: > >> Everything work fine except that when the proxy is used, the Authentication-Info header is not included in the response. If Apache is replying directly without using the proxy, it is included. > There's no such header in HTTP. Why not tell us exactly what you mean? > --------------040805050706070208030808 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Ok, I was probably not clear enough ;-)

First I'm using mod_proxy_http and DIGEST authentication. Authentication-Info header is part of digest authentication:
http://rfc-ref.org/RFC-TEXTS/2069/chapter2.html

Lets say I've 2 accessed URLs:

http://mydomain.com/index.html
http://mydomain.com/tomcat/index.html

Both are using digest authentication on apache.

Proxy is configured as follow:
ProxyPass /tomcat http://mytomcat.com/bla
ProxyPassReverse /tomcat http://mytomcat.com/bla
So http://mydomain.com/index.html is replied directly by apache and http://mydomain.com/tomcat/index.html is proxied to tomcat.

1st case: Authentication-Info replied

> GET /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mydomain.com
> Accept: */*

< HTTP/1.1 401 Unauthorized
< Date: Wed, 27 Mar 2013 11:24:18 GMT
< Server: Apache/2.4.4 (Unix)
< WWW-Authenticate: Digest realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", algorithm=MD5, qop="auth"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1

> GET /index.html HTTP/1.1
> Authorization: Digest username="username", realm="bla", nonce="nxteR+bYBAA=9c9e9d4176b1ff722c18122c2a3a9af3d52b6e8a", uri="/index.html", cnonce
="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=00000001, qop=auth, response="bbfa7dqsdqs2c014d85sqdzaab1", algorithm="MD5"
> User-Agent: curl/7.29.0
> Host: mydomain.com
> Accept: */*

< HTTP/1.1 200 OK
< Date: Wed, 27 Mar 2013 11:24:18 GMT
< Server: Apache/2.4.4 (Unix)
< Authentication-Info: rspauth="efbdcdsqdsqhiaaazqds4eee3c1", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICAxNDEyNjc=", nc=00000001, qop=auth
< Last-Modified: Tue, 19 Feb 2013 08:24:06 GMT
< ETag: "22-4d60f909e7580"
< Accept-Ranges: bytes
< Content-Length: 34
< Content-Type: text/plain
....

2nd case: Authentication-Info not replied

> GET /tomcat/index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mydomain.com
> Accept: */*

< HTTP/1.1 401 Unauthorized
< Date: Wed, 27 Mar 2013 12:15:25 GMT
< Server: Apache/2.4.4 (Unix)
< WWW-Authenticate: Digest realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", algorithm=MD5, qop="auth"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1

> GET /tomcat/index.html HTTP/1.1
> Authorization: Digest username="username", realm="bla", nonce="5X4sqdsqdsqd456sq4dsq4d65sq78zf599bbd478c", uri="/tomcat/index.html", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA0NDk5NzM=", nc=00000001, qop=auth, response="cf10890c9dsqdsqef3bd248dsqdsqec34", algorithm="MD5"
> User-Agent: curl/7.29.0
> Host: mydomain.com
> Accept: */*

< HTTP/1.1 200 OK
< Date: Wed, 27 Mar 2013 12:15:27 GMT
< Server: Apache-Coyote/1.1
< Content-Type: application/json
< Content-Length: 142
.....

So my question is, is there any way to have Apache reply this Authentication-Info in both case ? I guess the reverse proxy should add is somehow...

Thanks !

On 27/03/2013 13:00, Nick Kew wrote:
On 27 Mar 2013, at 11:39, Nicolas Daniels wrote:


Everything work fine except that when the proxy is used, the Authentication-Info header is not included in the response. If Apache is replying directly without using the proxy, it is included.

There's no such header in HTTP.  Why not tell us exactly what you mean?

--------------040805050706070208030808--