Support 407 code in "satisfy any" and "auth_delay"

Notably, "auth_delay" now delays the response for both 401 and 407.
Also, in the "satisfy any" mode, the next access/auth attempt is made
for 401, 403 and 407.

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 4c51f7edf3ebf040cd166c609197c411be4dd113..4e1c67282c5150c9f6f1d8a55421def10349e42c 100644 (file)
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1155,8 +1155,13 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
             return NGX_AGAIN;
         }
 
-        if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+        if (rc == NGX_HTTP_FORBIDDEN
+            || rc == NGX_HTTP_UNAUTHORIZED
+            || rc == NGX_HTTP_PROXY_AUTH_REQUIRED)
+        {
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED
+                && r->access_code != NGX_HTTP_PROXY_AUTH_REQUIRED)
+            {
                 r->access_code = rc;
             }
 
@@ -1167,7 +1172,8 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
 
     /* rc == NGX_ERROR || rc == NGX_HTTP_...  */
 
-    if (rc == NGX_HTTP_UNAUTHORIZED) {
+    if (rc == NGX_HTTP_UNAUTHORIZED || rc == NGX_HTTP_PROXY_AUTH_REQUIRED) {
+        r->access_code = rc;
         return ngx_http_core_auth_delay(r);
     }
 
@@ -1188,17 +1194,19 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
     access_code = r->access_code;
 
     if (access_code) {
-        r->access_code = 0;
-
         if (access_code == NGX_HTTP_FORBIDDEN) {
             ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                           "access forbidden by rule");
         }
 
-        if (access_code == NGX_HTTP_UNAUTHORIZED) {
+        if (access_code == NGX_HTTP_UNAUTHORIZED
+            || access_code == NGX_HTTP_PROXY_AUTH_REQUIRED)
+        {
             return ngx_http_core_auth_delay(r);
         }
 
+        r->access_code = 0;
+
         ngx_http_finalize_request(r, access_code);
         return NGX_OK;
     }
@@ -1211,12 +1219,16 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
 static ngx_int_t
 ngx_http_core_auth_delay(ngx_http_request_t *r)
 {
+    ngx_int_t                  access_code;
     ngx_http_core_loc_conf_t  *clcf;
 
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (clcf->auth_delay == 0) {
-        ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+        access_code = r->access_code;
+        r->access_code = 0;
+
+        ngx_http_finalize_request(r, access_code);
         return NGX_OK;
     }
 
@@ -1252,6 +1264,7 @@ ngx_http_core_auth_delay(ngx_http_request_t *r)
 static void
 ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
 {
+    ngx_int_t     access_code;
     ngx_event_t  *wev;
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
@@ -1268,7 +1281,10 @@ ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
         return;
     }
 
-    ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+    access_code = r->access_code;
+    r->access_code = 0;
+
+    ngx_http_finalize_request(r, access_code);
 }