Le 26/05/2020 à 08:56, Willy Tarreau a écrit :
Hi Joao,
On Thu, May 21, 2020 at 09:41:19PM -0300, Joao Morais wrote:
Hello list, the 401 is one of the http status code haproxy generates itself:
https://github.com/haproxy/haproxy/blob/v2.1.0/doc/configuration.txt#L363
This cannot however be overwritten using the errorfile keyword as stated in the
doc:
https://github.com/haproxy/haproxy/blob/v2.1.0/doc/configuration.txt#L3558
and also testing myself:
[WARNING] 142/002731 (1) : parsing [/tmp/haproxy/h.cfg:9] : status code
401 not
handled by 'errorfile', error customization will be ignored.
I'm aware that a Lua script can generate a custom page and an arbitrary http
status code which could work around this:
core.register_service("send-401", "http", function(applet)
send(applet, 401, [[
<html><body>My custom 401 page</body></html>
]])
end)
... but is there a way to, instead, customize the output of `http-request auth`?
I had a look in the code and not, it's not possible right now, the
message is constructed in function http_reply_40x_unauthorized(). It's
sad because what this function does is only a subset of what is possible
to do with the new configurable error files. But it takes one extra
argument that needs to be emitted and that makes it impossible to
express as a regular error file.
In an ideal world this function should call what is used normally to
build an error message, then just concatenate the addition of the
"basic realm=" and auth_realm into either www-authenticate or
proxy-authenticate and that should work. I'm CCing Christopher in case
he sees a trivial way to do this.
Digging into this also made me realize that all but two of the HTTP_xxx
messages defined in http.c are not used anymore and could be removed.
I'm even suspecting the remaining ones (302 and 303) might be accidental
leftovers.
In HAProxy 2.2, I guess 401/407 responses may be generated using an http-request
return rule, making http-request auth rule more or less deprecated. The only
mess is to handle 2 different responses depending on the request path when the
http-use-proxy-header option is used. In addition, http_reply_40x_unauthorized()
is also called for the stats page authentication. This part cannot be replaced
by an http-request return rule. So maybe a good solution is to use error files
(customizable since 2.2). And just add the realm at the right place, as Willy
said. I will investigate.
For HTTP_30X templates, you're right, they should be removed. And HTTP_10X too.
--
Christopher Faulet
