I have a 1.) client, a 2.) nginx powered proxy server and 3.) some servers which addresses are unreachable for the client, the proxy handles the communication from the client to these servers.
Worked fine so far. But now some of this servers require authentication by HTTP digest instead of HTTP basic auth and the client is no longer able to authenticate on these servers correctly.
Thanks to wget and Wireshark I was able to corner the problem a little.
The HTTP header of a working authentication looks like this:
GET /targetpath/myfile.jpg HTTP/1.1
User-Agent: Wget/1.15 (linux-gnu)
Accept: */*
Host: 192.168.5.215
Connection: Keep-Alive
Authorization: Digest username="myuser", realm="MyRealm", nonce="x+AfVa0pBQA=ad6ef47eb7e95f9fe8e148a9ccd22dcdb3b8a7f6", uri="/targetpath/myfile.jpg", response="6f7cf06ddededd7295ce3a16b4196528", qop=auth, nc=00000001, cnonce="26310a3e", algorithm="MD5"
The header of the not working authentication, done by the proxy looks a little different:
GET /targetpath/myfile.jpg HTTP/1.0
Connection: Keep-Alive
Host: 192.168.5.215
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Referer: http://localhost/
Authorization: Digest username="MyUser", realm="MyRealm", nonce="Sh3xpq0pBQA=ccc43b898eccd1933fa63383d8a6447385119db9", uri="/proxypath/192.168.5.215/targetpath/myfile.jpg", algorithm=MD5, response="068f00e3460e4b585b4a90fa76be8b27", qop=auth, nc=00000003, cnonce="cbe75557a6107092"
Please note the difference in the uri within the Authorization header. This is, of course, the request path of the proxy server. (Since the client handles the authentication, the proxy only passes data and rewrites the url) I suspect that's where the issue is from. (Please note that I'm unable to debug directly on the target servers to verify this)
So, the question is: Is there a way to rewrite the Authorization dynamically before it is passed to the target server? Is there a way to let the proxy server handle the authentication instead of just passing it from the client? Or is there another / better approach?
