With 'ProxyErrorOverride On', mod_proxy incorrectly fails to pass the WWW- Authenticate header through to the client on 401 responses from the origin server. It seems the problem is that ap_send_error_response() clears r->headers_out, while ap_proxy_http_process_response() does not copy the WWW-Authenticate header into r->err_headers_out. A patch which fixes this follows. (Note re the second passage of the patch: If we don't discard the request body that accompanied the 401 response, it is still there on the socket when auth succeeds... and is therefore prepended, in it's raw chunked glory, when the actual content page from the origin server is served to the client. Thus we must discard the request body prior to exiting from ap_proxy_http_process_response() on 401 responses with ProxyErrorOverride On. Note that this patch appears to correct the problem, but has NOT yet received extensive testing. *** modules/proxy/proxy_http.c.orig Thu Sep 19 14:47:51 2002 --- modules/proxy/proxy_http.c Thu Sep 19 17:38:36 2002 *************** *** 863,868 **** --- 863,879 ---- } } + if ((r->status == 401) && (conf->error_override != 0)) { + const char *buf; + const char *wa = "WWW-Authenticate"; + if (buf = apr_table_get(r->headers_out, wa)) { + apr_table_set(r->err_headers_out, wa, buf); + } else { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "proxy: origin server sent 401 without w-a header"); + } + } + r->sent_bodyct = 1; /* Is it an HTTP/0.9 response? If so, send the extra data */ if (backasswards) { *************** *** 969,974 **** --- 980,986 ---- */ int status = r->status; r->status = HTTP_OK; + ap_discard_request_body(rp); return status; } } else
Patch already applied to v2.0 and v2.1.