This is a fix that went into v1.3 quite a while back, but not into v2.0.

It sorts out the problem when a password protected reverse proxy URL
sends a Proxy-Authenticate to a browser instead of a WWW-Authenticate.

This patch covers the changes to the httpd-2.0 tree.

Submitted by:	Graham Leggett
Reviewed by:	Chuck Murcko


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@88527 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -37,6 +37,10 @@ Changes with Apache 2.0.15-dev
      entire content.  It is far safer to just remove the C-L as long
      as we are scanning it.  [Ryan Bloom]
 
+  *) Make sure Apache sends WWW-Authenticate during a reverse proxy
+     request and not Proxy-Authenticate.
+     [Graham Leggett <minfrin@sharp.fm>]
+
 Changes with Apache 2.0.14
 
   *) Fix content-length computation.  We ONLY compute a content-length if

include/httpd.h

@@ -615,7 +615,9 @@ struct request_rec {
     char *the_request;
     /** HTTP/0.9, "simple" request */
     int assbackwards;
-    /** A proxy request (calculated during post_read_request/translate_name) */
+    /** A proxy request (calculated during post_read_request/translate_name)
+     *  possible values PROXYREQ_NONE, PROXYREQ_PROXY, PROXYREQ_REVERSE
+     */
     int proxyreq;
     /** HEAD request, as opposed to GET */
     int header_only;
@@ -807,6 +809,16 @@ struct request_rec {
  */
 };
 
+/** Possible values of request_rec->proxyreq. A request could be normal,
+ *  proxied or reverse proxied. Normally proxied and reverse proxied are
+ *  grouped together as just "proxied", but sometimes it's necessary to
+ *  tell the difference between the two, such as for authentication.
+ */
+
+#define PROXYREQ_NONE 0
+#define PROXYREQ_PROXY 1
+#define PROXYREQ_REVERSE 2
+
 
 /** Structure to store things which are per connection */
 struct conn_rec {

modules/aaa/mod_auth_digest.c

@@ -854,7 +854,7 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
     char *key, *value;
 
     auth_line = apr_table_get(r->headers_in,
-			     r->proxyreq ? "Proxy-Authorization"
+			     (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
 					 : "Authorization");
     if (!auth_line) {
 	resp->auth_hdr_sts = NO_HEADER;
@@ -1322,7 +1322,7 @@ static void note_digest_auth_failure(request_rec *r,
     }
 
     apr_table_mergen(r->err_headers_out,
-		    r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+		    (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
 		    apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s\", "
 					 "algorithm=%s%s%s%s%s",
 				ap_auth_name(r), nonce, conf->algorithm,
@@ -2050,7 +2050,7 @@ static int add_auth_info(request_rec *r)
 
     if (ai && ai[0])
 	apr_table_mergen(r->headers_out,
-			r->proxyreq ? "Proxy-Authentication-Info"
+			(PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authentication-Info"
 				    : "Authentication-Info",
 			ai);
     return OK;

modules/http/http_request.c

@@ -135,7 +135,7 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
      * about proxy authentication.  They treat it like normal auth, and then
      * we tweak the status.
      */
-    if (r->status == HTTP_UNAUTHORIZED && r->proxyreq) {
+    if (HTTP_UNAUTHORIZED == r->status && PROXYREQ_PROXY == r->proxyreq) {
         r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
     }
 

modules/http/mod_mime.c

@@ -720,10 +720,7 @@ static int find_ct(request_rec *r)
 
         /* Check for a special handler, but not for proxy request */
         if ((type = apr_table_get(conf->handlers, ext))
-#if 0	
+	    && (PROXYREQ_NONE == r->proxyreq) 
-	/* XXX fix me when the proxy code is updated */
-	    && r->proxyreq == NOT_PROXY) 
-#endif
         ) {
             r->handler = type;
             found = 1;

modules/mappers/mod_rewrite.c

@@ -1127,7 +1127,7 @@ static int hook_uri2file(request_rec *r)
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXYREQ_REVERSE;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
@@ -1378,7 +1378,7 @@ static int hook_fixup(request_rec *r)
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXYREQ_REVERSE;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "

server/protocol.c

@@ -1081,7 +1081,7 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r)
         ap_note_auth_failure(r);
     else
         apr_table_setn(r->err_headers_out,
-                  r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+                  (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
                   apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
                           NULL));
 }
@@ -1089,7 +1089,7 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r)
 AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
 {
     apr_table_setn(r->err_headers_out,
-	    r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+	    (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" : "WWW-Authenticate",
 	    apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%llx\"",
 		ap_auth_name(r), r->request_time));
 }
@@ -1097,7 +1097,7 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r)
 AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
 {
     const char *auth_line = apr_table_get(r->headers_in,
-                                      r->proxyreq ? "Proxy-Authorization"
+                                      (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
                                                   : "Authorization");
     const char *t;