MINOR: http-ana: Use proxy's error replies to emit 401/407 responses
There is no reason to not use proxy's error replies to emit 401/407
responses. The function http_reply_40x_unauthorized(), responsible to emit those
responses, is not really complex. It only adds a
WWW-Authenticate/Proxy-Authenticate header to a generic message.
So now, error replies can be defined for 401 and 407 status codes, using
errorfile or http-error directives. When an http-request auth rule is evaluated,
the corresponding error reply is used. For 401 responses, all occurrences of the
WWW-Authenticate header are removed and replaced by a new one with a basic
authentication challenge for the configured realm. For 407 responses, the same
is done on the Proxy-Authenticate header. If the error reply must not be
altered, "http-request return" rule must be used instead.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 674acd2..8a67f4d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2522,8 +2522,8 @@
Arguments :
<code> is the HTTP status code. Currently, HAProxy is capable of
- generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429,
- 500, 502, 503, and 504.
+ generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+ 425, 429, 500, 502, 503, and 504.
<file> designates a file containing the full HTTP response. It is
recommended to follow the common practice of appending ".http" to
@@ -3859,8 +3859,8 @@
yes | yes | yes | yes
Arguments :
<code> is the HTTP status code. Currently, HAProxy is capable of
- generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
- 502, 503, and 504.
+ generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+ 425, 429, 500, 502, 503, and 504.
<file> designates a file containing the full HTTP response. It is
recommended to follow the common practice of appending ".http" to
@@ -3908,8 +3908,8 @@
<name> is the name of an existing http-errors section.
<code> is a HTTP status code. Several status code may be listed.
- Currently, HAProxy is capable of generating codes 200, 400, 403,
- 404, 405, 408, 410, 425, 429, 500, 502, 503, and 504.
+ Currently, HAProxy is capable of generating codes 200, 400, 401,
+ 403, 404, 405, 407, 408, 410, 425, 429, 500, 502, 503, and 504.
Errors defined in the http-errors section with the name <name> are imported
in the current proxy. If no status code is specified, all error files of the
@@ -3934,8 +3934,8 @@
yes | yes | yes | yes
Arguments :
<code> is the HTTP status code. Currently, HAProxy is capable of
- generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
- 502, 503, and 504.
+ generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+ 425, 429, 500, 502, 503, and 504.
<url> it is the exact contents of the "Location" header. It may contain
either a relative URI to an error page hosted on the same site,
@@ -3966,8 +3966,8 @@
yes | yes | yes | yes
Arguments :
<code> is the HTTP status code. Currently, HAProxy is capable of
- generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
- 502, 503, and 504.
+ generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+ 425, 429, 500, 502, 503, and 504.
<url> it is the exact contents of the "Location" header. It may contain
either a relative URI to an error page hosted on the same site,
@@ -4942,8 +4942,8 @@
Arguments :
staus <code> is the HTTP status code. It must be specified.
Currently, HAProxy is capable of generating codes
- 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
- 502, 503, and 504.
+ 200, 400, 401, 403, 404, 405, 407, 408, 410, 425, 429,
+ 500, 502, 503, and 504.
content-type <type> is the response content type, for instance
"text/plain". This parameter is ignored and should be
@@ -5095,6 +5095,14 @@
"realm" parameter is supported, it sets the authentication realm that is
returned with the response (typically the application's name).
+ The corresponding proxy's error message is used. It may be customized using
+ an "errorfile" or an "http-error" directive. For 401 responses, all
+ occurrences of the WWW-Authenticate header are removed and replaced by a new
+ one with a basic authentication challenge for realm "<realm>". For 407
+ responses, the same is done on the Proxy-Authenticate header. If the error
+ message must not be altered, consider to use "http-request return" rule
+ instead.
+
Example:
acl auth_ok http_auth_group(L1) G1
http-request auth unless auth_ok