Received: (qmail 19370 invoked by uid 501); 20 Mar 2001 13:50:21 -0000 Message-Id: <20010320135020.19366.qmail@apache.org> Date: 20 Mar 2001 13:50:20 -0000 From: "Torbjörn" Carlsson Reply-To: torbjorn.carlsson@mobilitypartner.com To: submit@bugz.apache.org Subject: BasicAuth protected ProxyPass directive can't handle BasicAuth on "real" server. X-Send-Pr-Version: 3.110 >Number: 7439 >Category: mod_proxy >Synopsis: BasicAuth protected ProxyPass directive can't handle BasicAuth on "real" server. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Mar 20 06:00:05 PST 2001 >Closed-Date: >Last-Modified: >Originator: torbjorn.carlsson@mobilitypartner.com >Release: 1.3.19 >Organization: apache >Environment: RedHat 6.2 on i686 >Description: If the real server is using basic auth, as well as the proxy. the Servers BasicAuth header is trashed when going through the ProxyPass proxy. It also looks like the ProxyPass directive passes on it's Basic-Auth header, the one that is used between the client and the proxy, to the real server. That probably destroys the Basic-Auth header that the Server sends out. When using the setup described under the "repeat problem" tag I'm alternately getting the AuthName from the proxy and from the Server. Both of them rejects the BasicAuth header that is sent and requests a new one. = Infinite loop. >How-To-Repeat: Setup: Proxy server: ------------------------------------------------------------------ ProxyPass /basic-auth http://server/basic-auth ProxyPassReverse /basic-auth http://server/basic-auth AuthName "The Proxy test" AuthType Basic AuthUserFile /etc/httpd/conf/proxy.passwd require valid-user --------------------------------------------------------------- Real server: AuthName "The Real server" AuthType Basic AuthUserFile /etc/httpd/conf/server.passwd require valid-user There is no way to get through. >Fix: >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]