From: Christopher Faulet Date: Fri, 23 Nov 2018 15:23:45 +0000 (+0100) Subject: BUG/MINOR: proto_htx: only mark connections private if NTLM is detected X-Git-Tag: v1.9-dev9~125 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6160832bf7b4a4df47406e63daf441529fa62631;p=thirdparty%2Fhaproxy.git BUG/MINOR: proto_htx: only mark connections private if NTLM is detected The commit fd9b68c48 ("BUG/MINOR: only mark connections private if NTLM is detected") was forgotten when HTX analyzers were added. --- diff --git a/src/proto_htx.c b/src/proto_htx.c index 20689727c5..852034732c 100644 --- a/src/proto_htx.c +++ b/src/proto_htx.c @@ -1423,6 +1423,7 @@ int htx_wait_for_response(struct stream *s, struct channel *rep, int an_bit) struct http_txn *txn = s->txn; struct http_msg *msg = &txn->rsp; struct htx *htx; + struct connection *srv_conn; union h1_sl sl; int n; @@ -1713,6 +1714,30 @@ int htx_wait_for_response(struct stream *s, struct channel *rep, int an_bit) txn->flags = (txn->flags & ~TX_CON_WANT_MSK) | TX_CON_WANT_TUN; } + /* check for NTML authentication headers in 401 (WWW-Authenticate) and + * 407 (Proxy-Authenticate) responses and set the connection to private + */ + srv_conn = cs_conn(objt_cs(s->si[1].end)); + if (srv_conn) { + struct ist hdr; + struct http_hdr_ctx ctx; + + if (txn->status == 401) + hdr = ist("WWW-Authenticate"); + else if (txn->status == 407) + hdr = ist("Proxy-Authenticate"); + else + goto end; + + ctx.blk = NULL; + while (http_find_header(htx, hdr, &ctx, 0)) { + if ((ctx.value.len >= 9 && word_match(ctx.value.ptr, ctx.value.len, "Negotiate", 9)) || + (ctx.value.len >= 4 && word_match(ctx.value.ptr, ctx.value.len, "NTLM", 4))) + srv_conn->flags |= CO_FL_PRIVATE; + } + } + + end: /* we want to have the response time before we start processing it */ s->logs.t_data = tv_ms_elapsed(&s->logs.tv_accept, &now);