[In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
Synopsis: ProxyRemote proxy requests fail authentication by firewall State-Changed-From-To: open-feedback State-Changed-By: brian State-Changed-When: Wed May 20 02:23:30 PDT 1998 State-Changed-Why: Hi. Sorry about the delay; there hasn't been anyone working on the proxy module in awhile. In doing research on this I found the patch which implemented this: http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/modules/proxy/proxy_http.c.diff?r1=1.20&r2=1.21 The thread of discussion on this can be found in the archives for the month of July 1997, at http://dev.apache.org/mail/nh.9705.gz unzip it and read it in pine or something, and look for a thread called "proxy auth". You'll see that it was done even though folks knew that it could cause a problem like this. Basically, the HTTP spec says that a proxy should "absorb" the header and not forward it along if the credentials being presented are for that proxy. Unfortunately we absorb it unconditionally. So to properly fix this we need to block that header only if we are the proxy server requiring those credentials. Also consider the possibility of *two* Proxy-Authorization headers, one for "us" and one for one of the next proxies down the chain. At this point we're strapped for resources in the proxy department, so if you think you could implement a fix we'd be ecstatic. Failing that, I think it's better to always block than anyways relay when those are your only options. Thanks for the note.
