Opened 7 years ago

Closed 6 years ago

#506 closed enhancement (wontfix)

Allow http error code 101 426 returned from auth_request

Reported by: Sherwood Wang Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.5.x
Keywords: Cc:
uname -a: Linux sherwoodwang 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.5.10
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Send username and password with http is not secure. So if the application invoked with auth_request has determined the access to a page should be restricted, it must have a method to tell browser to upgrade to https before asking password.

For 101, 426 error code, client should receive "upgrade" header, "connection" header from the response from auth_request.

Change History (1)

comment:1 by Maxim Dounin, 6 years ago

Resolution: wontfix
Status: newclosed

There are no plans to support RFC2817-style upgrades to TLS. It is believed to be not supported by most (if not all) browsers, and it's known to be insecure as it can't prevent man-in-the-middle attacks. See, e.g., Mozilla bug #276813 for a discussion of the topic.

If you want security, consider returning a redirect to a https URI if authentication is required. When using auth request module, this can be done by using error_page 401.

Note: See TracTickets for help on using tickets.