BUG/MINOR: proto_htx: only mark connections private if NTLM is detected

The commit fd9b68c48 ("BUG/MINOR: only mark connections private if NTLM is
detected") was forgotten when HTX analyzers were added.

diff --git a/src/proto_htx.c b/src/proto_htx.c
index 20689727c5097cd2107bb6f9a673276692ca9687..852034732c18999690a2397d3038efc38f37b49c 100644 (file)
--- a/src/proto_htx.c
+++ b/src/proto_htx.c
@@ -1423,6 +1423,7 @@ int htx_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
        struct http_txn *txn = s->txn;
        struct http_msg *msg = &txn->rsp;
        struct htx *htx;
+       struct connection *srv_conn;
        union h1_sl sl;
        int n;
 
@@ -1713,6 +1714,30 @@ int htx_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
                txn->flags = (txn->flags & ~TX_CON_WANT_MSK) | TX_CON_WANT_TUN;
        }
 
+       /* check for NTML authentication headers in 401 (WWW-Authenticate) and
+        * 407 (Proxy-Authenticate) responses and set the connection to private
+        */
+       srv_conn = cs_conn(objt_cs(s->si[1].end));
+       if (srv_conn) {
+               struct ist hdr;
+               struct http_hdr_ctx ctx;
+
+               if (txn->status == 401)
+                       hdr = ist("WWW-Authenticate");
+               else if (txn->status == 407)
+                       hdr = ist("Proxy-Authenticate");
+               else
+                       goto end;
+
+               ctx.blk = NULL;
+               while (http_find_header(htx, hdr, &ctx, 0)) {
+                       if ((ctx.value.len >= 9 && word_match(ctx.value.ptr, ctx.value.len, "Negotiate", 9)) ||
+                           (ctx.value.len >= 4 && word_match(ctx.value.ptr, ctx.value.len, "NTLM", 4)))
+                               srv_conn->flags |= CO_FL_PRIVATE;
+               }
+       }
+
+  end:
        /* we want to have the response time before we start processing it */
        s->logs.t_data = tv_ms_elapsed(&s->logs.tv_accept, &now);