From: Amos Jeffries Date: Fri, 13 Jun 2008 14:30:53 +0000 (+1200) Subject: Author: Christos Tsantilas X-Git-Tag: SQUID_3_1_0_1~49^2~204 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcf3665bb6601129d69c837f258b87fcc3f24c80;p=thirdparty%2Fsquid.git Author: Christos Tsantilas Bug 2206: no Proxy-Authenticate header in 407 responses Proper handling of Hop-By-Hop headers according to RFC2616 (drop them!) special handling given to Auth headers on pass-thru cases. --- diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc index a0bab13f85..96bada8edd 100644 --- a/src/HttpHeader.cc +++ b/src/HttpHeader.cc @@ -236,10 +236,11 @@ static http_hdr_type RequestHeadersArr[] = HDR_USER_AGENT, HDR_X_FORWARDED_FOR, HDR_SURROGATE_CAPABILITY }; +static HttpHeaderMask HopByHopHeadersMask; static http_hdr_type HopByHopHeadersArr[] = { - HDR_CONNECTION, HDR_KEEP_ALIVE, HDR_PROXY_AUTHENTICATE, HDR_PROXY_AUTHORIZATION, - HDR_TE, HDR_TRAILERS, HDR_TRANSFER_ENCODING, HDR_UPGRADE + HDR_CONNECTION, HDR_KEEP_ALIVE, /*HDR_PROXY_AUTHENTICATE,*/ HDR_PROXY_AUTHORIZATION, + HDR_TE, HDR_TRAILERS, HDR_TRANSFER_ENCODING, HDR_UPGRADE, HDR_PROXY_CONNECTION }; /* header accounting */ @@ -304,6 +305,8 @@ httpHeaderInitModule(void) httpHeaderCalcMask(&RequestHeadersMask, EntityHeadersArr, countof(EntityHeadersArr)); + httpHeaderCalcMask(&HopByHopHeadersMask, HopByHopHeadersArr, countof(HopByHopHeadersArr)); + /* init header stats */ assert(HttpHeaderStatCount == hoReply + 1); @@ -1773,11 +1776,16 @@ HttpHeader::removeHopByHopEntries() { removeConnectionHeaderEntries(); - int count = countof(HopByHopHeadersArr); - - for (int i=0; iid; + if(CBIT_TEST(HopByHopHeadersMask, id)){ + delAt(pos, headers_deleted); + CBIT_CLR(mask, id); + } + } } void diff --git a/src/ICAP/ICAPModXact.cc b/src/ICAP/ICAPModXact.cc index 8da4103401..96cccea875 100644 --- a/src/ICAP/ICAPModXact.cc +++ b/src/ICAP/ICAPModXact.cc @@ -1178,6 +1178,7 @@ void ICAPModXact::encapsulateHead(MemBuf &icapBuf, const char *section, MemBuf & // end cloning // remove all hop-by-hop headers from the clone + headClone->header.delById(HDR_PROXY_AUTHENTICATE); headClone->header.removeHopByHopEntries(); // pack polished HTTP header diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index bef4388dce..c9956f2ddd 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -279,7 +279,6 @@ AuthNTLMConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, ht if (!keep_alive) { /* drop the connection */ - rep->header.delByName("keep-alive"); request->flags.proxy_keepalive = 0; } } else { @@ -292,7 +291,6 @@ AuthNTLMConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, ht case AUTHENTICATE_STATE_FAILED: /* here it makes sense to drop the connection, as auth is * tied to it, even if MAYBE the client could handle it - Kinkie */ - rep->header.delByName("keep-alive"); request->flags.proxy_keepalive = 0; /* fall through */ diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 5a1cb7d61e..c97354cf34 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1176,19 +1176,14 @@ clientReplyContext::buildReplyHeader() hdr->delById(HDR_ETAG); #endif - // TODO: Should ESIInclude.cc that calls removeConnectionHeaderEntries - // also delete HDR_PROXY_CONNECTION and HDR_KEEP_ALIVE like we do below? - - // XXX: Should HDR_PROXY_CONNECTION by studied instead of HDR_CONNECTION? - // httpHeaderHasConnDir does that but we do not. Is this is a bug? - hdr->delById(HDR_PROXY_CONNECTION); - /* here: Keep-Alive is a field-name, not a connection directive! */ - hdr->delById(HDR_KEEP_ALIVE); - /* remove Set-Cookie if a hit */ - if (is_hit) hdr->delById(HDR_SET_COOKIE); + // if there is not configured a peer proxy with login=PASS option enabled + // remove the Proxy-Authenticate header + if ( !(request->peer_login && strcmp(request->peer_login,"PASS") ==0)) + reply->header.delById(HDR_PROXY_AUTHENTICATE); + reply->header.removeHopByHopEntries(); // if (request->range) @@ -1247,8 +1242,9 @@ clientReplyContext::buildReplyHeader() } /* Filter unproxyable authentication types */ + if (http->logType != LOG_TCP_DENIED && - (hdr->has(HDR_WWW_AUTHENTICATE) || hdr->has(HDR_PROXY_AUTHENTICATE))) { + (hdr->has(HDR_WWW_AUTHENTICATE) || hdr->has(HDR_PROXY_AUTHENTICATE))) { HttpHeaderPos pos = HttpHeaderInitPos; HttpHeaderEntry *e; @@ -1270,7 +1266,19 @@ clientReplyContext::buildReplyHeader() } /* Handle authentication headers */ - if (request->auth_user_request) + if(http->logType == LOG_TCP_DENIED && + ( reply->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED || + reply->sline.status == HTTP_UNAUTHORIZED) + ){ + /* Add authentication header */ + /*! \todo alter errorstate to be accel on|off aware. The 0 on the next line + * depends on authenticate behaviour: all schemes to date send no extra + * data on 407/401 responses, and do not check the accel state on 401/407 + * responses + */ + authenticateFixHeader(reply, request->auth_user_request, request, 0, 1); + } + else if (request->auth_user_request) authenticateFixHeader(reply, request->auth_user_request, request, http->flags.accel, 0); diff --git a/src/errorpage.cc b/src/errorpage.cc index e5fd72a5ca..149b417d49 100644 --- a/src/errorpage.cc +++ b/src/errorpage.cc @@ -376,13 +376,6 @@ errorAppendEntry(StoreEntry * entry, ErrorState * err) entry->lock(); entry->buffer(); rep = errorBuildReply(err); - /* Add authentication header */ - /*! \todo alter errorstate to be accel on|off aware. The 0 on the next line - * depends on authenticate behaviour: all schemes to date send no extra - * data on 407/401 responses, and do not check the accel state on 401/407 - * responses - */ - authenticateFixHeader(rep, err->auth_user_request, err->request, 0, 1); entry->replaceHttpReply(rep); EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); entry->flush();