Hi Christopher, On Wed, May 27, 2020 at 07:03:58PM +0200, Christopher Faulet wrote: > Here are patches to handle customizable 401/407 messages. In fact, only the > second patch is really meaningful. There is no change for the http-request > auth rule from the configuration point of view. Internally, we rely on the > proxy's error messages. It means 401 and 407 status codes are allowed on > "errorfile" and "http-error" lines.
I love patches like this which remove more code than they add :-) I'd have a minor request, which is to remove the empty www-authenticate and proxy-authenticate headers from the default response templates. Since the header is not edited in place but removed, it will make no difference, and at least if someone sends them as-is with http-request deny, we won't be sending an empty realm nor enforcing basic auth, but the browser will be free to do whatever it wants. In addition it would allow the user to manually append the header in a deny or return rule. Looks pretty good otherwise. Thanks! Willy
