Proxy-Authorization & Authorization headers


#1

Hi,
I got some issue, when i send the request using cURL its sends the auth via Proxy-Authorization header.
I checked the code and found that HaProxy expect Authorization header:

00000000:front-ctr-GB-10.accept(000a)=17f0 from [77.139.198.123:35447]
00000000:front-ctr-GB-10.clireq[17f0:ffffffff]: GET http://httpbin.org/headers HTTP/1.1
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Host: httpbin.org
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept-Language: en-US,en;q=0.5
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept-Encoding: gzip, deflate
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Authorization: Basic c3M6c3M=
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Connection: keep-alive
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Upgrade-Insecure-Requests: 1
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Cache-Control: max-age=0
smp_fetch_http_auth
smp_fetch_http_auth - contiune
Auth for stream 0x26902b0: 0
get_http_auth: txn->flags: 671088640, TX_USE_PX_CONN:1073741824
get_http_auth: h: Authorization, len: 13
get_http_auth txn->auth.user: ss, txn->auth.pass: sssmp_fetch_http_auth - contiune 

I think its better to check both headers in get_http_auth(struct stream *s)
here:
if (txn->flags & TX_USE_PX_CONN) {
h = “Proxy-Authorization”;
len = strlen(h);
} else {
h = “Authorization”;
len = strlen(h);
}


#2

No.
Haproxy supports HTTP Authentication, it does not support Proxy-Authorization.

Implementing Proxy-Authorization is more complicated than just looking at an additional header. Proxy-Authorization requires haproxy to strip the header (as it is a hop-by-hop instead of end-to-end), as well as a “407 Proxy Authentication Required” response instead of a “401 Unauthorized”.

Besides, I don’t see why haproxy would need proxy-authorization. It isn’t a forward-proxy, its a reverse-proxy and enabling Proxy-Authorization on a reverse proxy would break the service for all customers needing a forward-proxy together with Proxy-Authorizations to reach the internet. Really it doesn’t make much sense on a reverse proxy.