www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@hyperreal.org
Subject Re: mod_proxy/1567: ProxyRemote proxy requests fail authentication by firewall
Date Wed, 20 May 1998 09:23:30 GMT
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]


Synopsis: ProxyRemote proxy requests fail authentication by firewall

State-Changed-From-To: open-feedback
State-Changed-By: brian
State-Changed-When: Wed May 20 02:23:30 PDT 1998
State-Changed-Why:
Hi.  Sorry about the delay; there hasn't been anyone working
on the proxy module in awhile.

In doing research on this I found the patch which implemented
this: 

http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/modules/proxy/proxy_http.c.diff?r1=1.20&r2=1.21

The thread of discussion on this can be found in the archives
for the month of July 1997, at

http://dev.apache.org/mail/nh.9705.gz

unzip it and read it in pine or something, and look for
a thread called "proxy auth".  You'll see that
it was done even though folks knew that it could cause a 
problem like this.  Basically, the HTTP spec says that a proxy
should "absorb" the header and not forward it along if the
credentials being presented are for that proxy. Unfortunately
we absorb it unconditionally.

So to properly fix this we need to block that header only if
we are the proxy server requiring those credentials.  Also
consider the possibility of *two* Proxy-Authorization headers,
one for "us" and one for one of the next proxies down the 
chain.

At this point we're strapped for resources in the proxy
department, so if you think you could implement a fix
we'd be ecstatic.  Failing that, I think it's better to
always block than anyways relay when those are your only
options.

Thanks for the note.




Mime
View raw message