commit 612f2eafe907a4a6c07486274c90dc867e4e9e95
author Christopher Faulet <cfaulet@haproxy.com> Wed May 27 09:57:28 2020 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Thu May 28 15:07:20 2020 +0200
tree 6bf54ee971997c43f6de9b1e6c986103b25cb9f9
parent ae43b6c446ed99735e8ab2217ff35ca170649ed6

MINOR: http-ana: Use proxy's error replies to emit 401/407 responses

There is no reason to not use proxy's error replies to emit 401/407
responses. The function http_reply_40x_unauthorized(), responsible to emit those
responses, is not really complex. It only adds a
WWW-Authenticate/Proxy-Authenticate header to a generic message.

So now, error replies can be defined for 401 and 407 status codes, using
errorfile or http-error directives. When an http-request auth rule is evaluated,
the corresponding error reply is used. For 401 responses, all occurrences of the
WWW-Authenticate header are removed and replaced by a new one with a basic
authentication challenge for the configured realm. For 407 responses, the same
is done on the Proxy-Authenticate header. If the error reply must not be
altered, "http-request return" rule must be used instead.

doc/configuration.txt

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 674acd2..8a67f4d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2522,8 +2522,8 @@
 
   Arguments :
     <code>    is the HTTP status code. Currently, HAProxy is capable of
-              generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429,
-              500, 502, 503, and 504.
+              generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+              425, 429, 500, 502, 503, and 504.
 
     <file>    designates a file containing the full HTTP response. It is
               recommended to follow the common practice of appending ".http" to
@@ -3859,8 +3859,8 @@
                                  yes   |    yes   |   yes  |   yes
   Arguments :
     <code>    is the HTTP status code. Currently, HAProxy is capable of
-              generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
-              502, 503, and 504.
+              generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+              425, 429, 500, 502, 503, and 504.
 
     <file>    designates a file containing the full HTTP response. It is
               recommended to follow the common practice of appending ".http" to
@@ -3908,8 +3908,8 @@
     <name>  is the name of an existing http-errors section.
 
     <code>  is a HTTP status code. Several status code may be listed.
-            Currently, HAProxy is capable of generating codes 200, 400, 403,
-            404, 405, 408, 410, 425, 429, 500, 502, 503, and 504.
+            Currently, HAProxy is capable of generating codes 200, 400, 401,
+            403, 404, 405, 407, 408, 410, 425, 429, 500, 502, 503, and 504.
 
   Errors defined in the http-errors section with the name <name> are imported
   in the current proxy. If no status code is specified, all error files of the
@@ -3934,8 +3934,8 @@
                                  yes   |    yes   |   yes  |   yes
   Arguments :
     <code>    is the HTTP status code. Currently, HAProxy is capable of
-              generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
-              502, 503, and 504.
+              generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+              425, 429, 500, 502, 503, and 504.
 
     <url>     it is the exact contents of the "Location" header. It may contain
               either a relative URI to an error page hosted on the same site,
@@ -3966,8 +3966,8 @@
                                  yes   |    yes   |   yes  |   yes
   Arguments :
     <code>    is the HTTP status code. Currently, HAProxy is capable of
-              generating codes 200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
-              502, 503, and 504.
+              generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
+              425, 429, 500, 502, 503, and 504.
 
     <url>     it is the exact contents of the "Location" header. It may contain
               either a relative URI to an error page hosted on the same site,
@@ -4942,8 +4942,8 @@
   Arguments :
     staus <code>         is the HTTP status code. It must be specified.
                          Currently, HAProxy is capable of generating codes
-                         200, 400, 403, 404, 405, 408, 410, 425, 429, 500,
-                         502, 503, and 504.
+                         200, 400, 401, 403, 404, 405, 407, 408, 410, 425, 429,
+                         500, 502, 503, and 504.
 
     content-type <type>  is the response content type, for instance
                          "text/plain". This parameter is ignored and should be
@@ -5095,6 +5095,14 @@
   "realm" parameter is supported, it sets the authentication realm that is
   returned with the response (typically the application's name).
 
+  The corresponding proxy's error message is used. It may be customized using
+  an "errorfile" or an "http-error" directive. For 401 responses, all
+  occurrences of the WWW-Authenticate header are removed and replaced by a new
+  one with a basic authentication challenge for realm "<realm>". For 407
+  responses, the same is done on the Proxy-Authenticate header. If the error
+  message must not be altered, consider to use "http-request return" rule
+  instead.
+
   Example:
         acl auth_ok http_auth_group(L1) G1
         http-request auth unless auth_ok