nginx 400 error when username included in the uri
Michael Ching
michaelc at wush.net
Thu Aug 21 03:22:30 MSD 2008
mike wrote:
> isn't http://user:password@host now deprecated?
>
> only IE supports that now pre-SP2 / patched right?
>
> (not that i agree with it, but afaik it is not in RFC spec)
>
> originally i had thought there was a generic URI RFC spec
>
> scheme://user:password@host:/dirs
>
> where scheme can be telnet, ssh, http, https, scp, fastcgi, whatever
> the programs require...
>
While I am not sure the specifics on whether the syntax is declared
deprecated or not, it is pretty widely used by a browser or client which
accepts the scheme://user:pass@host syntax then converts this to the
appropriate login mechanism for the service actually being accessed
(USER/PASS commands in FTP, Authorization:/Credentials: headers in HTTP,
etc).
For example, you cannot simply pass a request to an http server such as:
GET http://user:pass@host/
However, most browsers will accept the URI and when doing the actual
request to the server send:
GET http://host/
Authorization: Basic ...
Credentials: user:pass
The issue is that some broken clients are sending both:
GET http://user:pass@host/
Authorization: Basic ...
Credentials: user:pass
Apache ignores the extra info in the GET portion of the request and uses
the proper authorization information passed later, but nginx returns an
error 400 as soon as it detects the characters which should be illegal
in a host name.
More information about the nginx
mailing list