Propagate Proxy-Authorization header correctly

PR 25947
RFC2616 tells us:
  (1) If we haven't authenticated, we must pass the header on.
  (2) If we have authenticated, we MAY pass it on.
I've made the latter case configurable by ENV(Proxy-Chain-Auth).

Also, Proxy-Authenticate is a response header, and doesn't belong
in a check of request headers.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@574021 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 8f41c840e14a221285230d1498c86a646a7d21d0..e401fb2539e264a782c1f04a374a30583b08bc9c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
+     PR 25947 [Nick Kew]
+
   *) mod_proxy: escape error-notes correctly
      PR 40952 [Thijs Kinkhorst <thijs debian.org>]
 

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 1654cd76b14f03411f8f02801c9e3d5b1bc8c743..5df59f1ce0f9a6e2bf75e83410c28fc1bb56b879 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -748,19 +748,22 @@ apr_status_t ap_proxy_http_request(apr_pool_t *p, request_rec *r,
              || !strcasecmp(headers_in[counter].key, "Trailer")
              || !strcasecmp(headers_in[counter].key, "Upgrade")
 
-            /* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be
-             * suppressed if THIS server requested the authentication,
-             * not when a frontend proxy requested it!
-             *
-             * The solution to this problem is probably to strip out
-             * the Proxy-Authorisation header in the authorisation
-             * code itself, not here. This saves us having to signal
-             * somehow whether this request was authenticated or not.
-             */
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authorization")
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) {
+             ) {
             continue;
         }
+       /* Do we want to strip Proxy-Authorization ?
+        * If we haven't used it, then NO
+        * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+        * So let's make it configurable by env.
+        */
+        if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) {
+            if (r->user != NULL) { /* we've authenticated */
+                if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
+                    continue;
+                }
+           }
+       }
+
 
         /* Skip Transfer-Encoding and Content-Length for now.
          */