On Fri, 13 Jan 2006, Mark Foster wrote:
Just wanted to report back that we solved our
digest-auth-through-http-accelerator problem. The culprit was a mismatch
of the URI referenced in the Authorization: header. Everything starting
at the third slash in the URL must match up between proxy and backend.
Depends a bit on the web server and it's configuration..
From RFC2617:
digest-uri
The URI from Request-URI of the Request-Line; duplicated here
because proxies are allowed to change the Request-Line in transit.
and
The authenticating server must assure that the resource designated by
the "uri" directive is the same as the resource specified in the
Request-Line; if they are not, the server SHOULD return a 400 Bad
Request error. (Since this may be a symptom of an attack, server
implementers may want to consider logging such errors.) The purpose
of duplicating information from the request URL in this field is to
deal with the possibility that an intermediate proxy may alter the
client's Request-Line. This altered (but presumably semantically
equivalent) request would not result in the same digest as that
calculated by the client.
Which in other words means that your server should reject Digest
authentication on redirected requests UNLESS it is told by it's local
configuration that this redirection is OK.
Regards
Henrik
