Alter HTTP response header in proxy (Apache 2.0) - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Alter HTTP response header in proxy (Apache 2.0)

afloom

8:31 am on Sep 27, 2005 (gmt 0)

10+ Year Member

I'm using Apache 2.0 as a reverse proxy for an external web application. My problem is that the external web application allows Microsoft NTLM and Basic Authentication for authentication, but my company's policy is to avoid NTLM. So I need to alter the response header so that the NTLM part is removed. How can I do that with Apache 2.0? I guess I'm looking for something like smart filtering, but that's only available in Apache 2.1.

Details:
When the user should authenticate, the HTTP response contains three WWW-Authenticate headers:


WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="abcd.efg"

What I want to do is to remove the first two, so that the client only sees Basic Authentication. How can I do that?

A simple solution that I came up with was to use the headers module and ALWAYS set the WWW-Authenticate response header to Basic Authentication (removes all the original WWW-Authenticate headers). However, that solution is not perfect as the authentication header shouldn't be there when the user is already authenticated. Always setting the header makes the authentication dialog pop-up every now and then.

Is there a better way? Worst case scenario would be to write my own module, but maybe there's an easier way?

Thanks!

jdMorgan

2:25 pm on Sep 27, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

afloom,

Welcome to WebmasterWorld!

Have you tried using the


Header onsuccess unset WWW-Authenticate

directive in addition to your Header set directive? This would unset the authentication headers if the server response was 200 instead of 401, meaning that the user was already authenticated. So, you'd end up with something like this:


Header unset WWW-Authenticate
Header set WWW-Authenticate Basic realm="abcd.efg"
Header onsuccess unset WWW-Authenticate

You could also wrap it in a <Files> or <Directory> container if further limitation of scope is required.

I haven't used this myself, and the above is based completely on the Apache 2.0 mod_headers documentation. In other words it's a guess, but it's what I would try if I was working on this project. :)

Jim

afloom

6:41 am on Sep 29, 2005 (gmt 0)

10+ Year Member

Thanks for your reply.

I tried it with the "onsuccess" flag, but the funny thing is that the header is then (it seems) removed for every response, even the ones with 401 status. I also tried "always", but then it is never removed (not even for 2xx statuses).
The strange thing is that in the change log for Apache 2.0.51 it states:

*) Backport from 2.1 / Regression from 1.3: mod_headers now knows
again the functionality of the ErrorHeader directive. But instead
using this misnomer additional flags to the Header directive were
introduced ("always" and "onsuccess", defaulting to the latter).
PR 28657. [AndrÚ Malo]

"onsuccess" seems to be the default behavior. That's probably why I seem to get the same behavior as when not stating any condition (the header is removed/unset). However, I cannot get the behavior to match the documentation:

The optional condition can be either onsuccess or always. It determines, which internal header table should be operated on. onsuccess stands for 2xx status codes and always for all status codes (including 2xx). Especially if you want to unset headers set by certain modules, you should try out, which table is affected.

Are there different sets of statuses? I read the documentation as "onsuccess" stands for 2xx HTTP reponse status codes. Am I misunderstanding something? Is this a bug (I'm using v2.0.52)? Maybe more of incorrect documentation...