NPS HTTP代理使用非标准的 401 响应进行认证,导致部分客户端(如浏览器插件)认证失败 #55
Description
问题描述:
当启用 NPS 的 HTTP 代理功能并设置用户名/密码认证时,通过配置了正确用户名和密码的浏览器代理插件(如 SwitchyOmega)访问网页失败,iOS系统无线HTTP代理同样访问失败。
失败场景:
使用浏览器插件通过 NPS 代理上网,网络抓包显示:
浏览器插件发送 CONNECT 请求到 NPS,不包含 Proxy-Authorization 头。
NPS 服务器响应 HTTP/1.1 401 Unauthorized,并包含 WWW-Authenticate: Basic realm="easyProxy" 头。
浏览器插件收到此响应后,没有重新发送带有 Proxy-Authorization 头的请求,导致连接失败。
成功场景 1 (curl + NPS):
使用 curl 命令,并指定相同的用户名/密码 (curl -x http://user:pass@nps_ip:port ...),可以成功通过 NPS 代理访问网页。网络抓包显示 curl 会直接发送包含 Proxy-Authorization 头的请求。
可使用的HTTP代理和NPS HTTP代理响应:
Hypertext Transfer Protocol
HTTP/1.1 407 Proxy Authentication Required
[Expert Info (Chat/Sequence): HTTP/1.1 407 Proxy Authentication Required]
[HTTP/1.1 407 Proxy Authentication Required]
[Severity level: Chat]
[Group: Sequence]
Response Version: HTTP/1.1
Status Code: 407
[Status Code Description: Proxy Authentication Required]
Response Phrase: Proxy Authentication Required
Proxy-Authenticate: Basic realm="SimpleProxyAuth"
Content-Length: 0
[Content length: 0]
Connection: close
[HTTP response 1/1]
[Time since request: 0.000443000 seconds]
[Request in frame: 4]
[Request URI: pss.bdstatic.com:443]
Hypertext Transfer Protocol
HTTP/1.1 401 Unauthorized
[Expert Info (Chat/Sequence): HTTP/1.1 401 Unauthorized]
[HTTP/1.1 401 Unauthorized]
[Severity level: Chat]
[Group: Sequence]
Response Version: HTTP/1.1
Status Code: 401
[Status Code Description: Unauthorized]
Response Phrase: Unauthorized
Content-Type: text/plain; charset=utf-8
WWW-Authenticate: Basic realm="easyProxy"
[HTTP response 1/1]
[Time since request: 0.000511000 seconds]
[Request in frame: 7]
[Request URI: pss.bdstatic.com:443]
File Data: 16 bytes