Access control

Vincent Ladeuil v.ladeuil+lp at free.fr
Wed Feb 28 20:54:21 GMT 2007 

>>>>> "Jeff" == Jeffrey Cunningham <jcunningham at medea.sea.boeing.com> writes:

<snip/>

    Jeff> No worries, its a temporary username/password for debugging -
    Jeff> none of this is exposed to the outside world anyway.

Ok.

    Jeff> User-Agent: bzr/0.14.0 (pycurl)
    Jeff> Host: medea.sea.boeing.com
    Jeff> Accept: */*
    Jeff> Proxy-Connection: Keep-Alive
    Jeff> Cache-control: max-age=0
    Jeff> Pragma: no-cache
    Jeff> Connection: Keep-Alive
    >> 
    Jeff> < HTTP/1.1 400 Bad Request
    Jeff> < Cache-Control: no-cache
    Jeff> < Pragma: no-cache
    Jeff> < Content-Type: text/html
    Jeff> * HTTP/1.1 proxy connection set close!
    Jeff> < Proxy-Connection: close
    Jeff> < Connection: close
    Jeff> < Content-Length: 6822
    Jeff> * Closing connection #0
    Jeff> bzr: ERROR: Invalid http response for
    Jeff> 
    Jeff> http://jeff:password@medea.sea.boeing.com/~jcunningham/docs/.bzr/branch-format:
    Jeff> Unable to handle http code 400: expected 200 or 404 for full
    Jeff> response.
    Jeff> j


    >> 
    >> The proxy refuses the request ! Not the final host. That explain
    >> why the apache logs are empty.
    >> 
    >> What proxy are you using ? I thought we solve your proxy problems
    >> already >-/ Or was it with another proxy ?
    >> 
    >> The proxy mentioned in the other thread was
    >> http://nw-proxy.boeing.com:31060 and here it's
    >> www-blv-proxy.boeing.com port 31060, some port but different
    >> name...

    Jeff> I was obsfucating the proxy in the earlier post, then realized
    Jeff> there was no good reason to (instinct, I guess). The latter proxy
    Jeff> is the correct one and it hasn't changed.

    Jeff> And bzr works fine if I turn off all forms of authentication.

Did I understand correctly ?

You are able to configure your apache server but you need to go
through the proxy to access it ?

Are you able to configure the proxy too ?

Can you try to disable the proxy for that server :

no_proxy=medea.sea.boeing.com

And by the way, what are your proxy settings for mozilla ?

<snip/>

    Jeff> jcunningham at medea ~/junk $ bzr branch
    Jeff> http+urllib://jeff:password@medea.sea.boeing.com/~jcunningham/docs
    Jeff> Will unbind ftp_open for 'http://www-blv-proxy.boeing.com:31060'
    Jeff> Will unbind http_open for 'http://www-blv-proxy.boeing.com:31060'
    Jeff> Will bind http_request for 'http://www-blv-proxy.boeing.com:31060'
    Jeff> set_proxy http_request for 'http://www-blv-proxy.boeing.com:31060'
    Jeff> set_proxy: proxy set to 'http'://'www-blv-proxy.boeing.com:31060'
    Jeff> connect: (www-blv-proxy.boeing.com, 31060)
    Jeff> send: 'GET
    Jeff> http://medea.sea.boeing.com/~jcunningham/docs/.bzr/branch-format
    Jeff> HTTP/1.1\r\nAccept-Encoding: identity\r\nConnection:
    Jeff> Keep-Alive\r\nAccept: */*\r\nUser-agent: bzr/0.14.0
    Jeff> (urllib)\r\nHost: medea.sea.boeing.com\r\nPragma:
    Jeff> no-cache\r\nCache-control: max-age=0\r\n\r\n'
    Jeff> Request sent: [<bzrlib.transport.http._urllib2_wrappers.Request
    Jeff> instance at 0xb7c64fec>]
    Jeff> reply: 'HTTP/1.1 401 Authorization Required\r\n'
    Jeff> header: Connection: Keep-Alive
    Jeff> header: Date: Wed, 28 Feb 2007 19:53:46 GMT
    Jeff> header: Server: Apache
    Jeff> header: WWW-Authenticate: Basic realm="sarat"
    Jeff> header: Content-Length: 471
    Jeff> header: Content-Type: text/html; charset=iso-8859-1
    Jeff> header: Cache-Control: proxy-revalidate
    Jeff> header: Proxy-support: Session-based-authentication
    Jeff> For status: [401], will ready body, length:  [471]
    Jeff> Consumed body: [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    Jeff> <html><head>
    Jeff> <title>401 Authorization Required</title>
    Jeff> </head><body>
    Jeff> <h1>Authorization Required</h1>
    Jeff> <p>This server could not verify that you
    Jeff> are authorized to access the document
    Jeff> requested.  Either you supplied the wrong
    Jeff> credentials (e.g., bad password), or your
    Jeff> browser doesn't understand how to supply
    Jeff> the credentials required.</p>
    Jeff> <hr>
    Jeff> <address>Apache Server at medea.sea.boeing.com Port 80</address>
    Jeff> </body></html>
    Jeff> ]

So here we go through the proxy and we reached
medea.sea.boeing.com, are you sure you see nothing in the apache
logs for that ?

I can't determine if the 400 error code for pycurl came from the
proxy or the apache server.

Thanks for your patience, tele-debugging such a config
is... interesting ;-)

By the way if you could upgrade your bzr it will be easier to
send you patches or if you tell me what exact version you're
using I can base patches on it.

I still don't know where the problem is, but pycurl and urllib
behaving differently for basic authorization is really strange.

Well, let's try to divide the problem: can you do the same test
locally on your apache server using http://localhost so that we
can rule out the proxy ? If it works with:
- basic auth for urllib,
- basic or digest for pycurl

Then we could have a look at the proxy.

       Vincent

P.S.: It's a bit late here but I may find some more time tomorrow
at worst.

More information about the bazaar mailing list