Willy Tarreau a écrit :
> The problem is on the browser side in fact, because it authenticates on one
> hostname (the IP address of haproxy), then is redirected to a different server,
> so it refuses to send credentials to an unknown place (that would be a security
> issue).
Hum, yes, it is reasonable.
> RFC2617 states that your server may specify a domain name when asking for
> www authentication. For this, you have to set "domain=xxxx" in the 401
> response, with the "WWW-Authenticate" header.
>
> If you use the same domain suffix for your servers and for the LB, it should
> fix your problem because the browser will then forward the user's
> authentication to all servers.
Thanks for the idea. I've tried to modify icecast2 to make it return the proper WWW-Authenticate (WWW-Authenticate: Basic realm="Icecast2 Server" domain="mydomain.com"), as you suggest.
The servers and LB have the same domain suffix (live{1,2,3}.mydomain.com).
I'll try to modify the code for the 302 response of haproxy and make it forward the authentification in the "Location"
thanks
Florian Received on 2008/06/23 10:03
This archive was generated by hypermail 2.2.0 : 2008/06/23 10:15 CEST