Just some notes... I'm really tired and I worked on this for several hours today. While I think it might be possible to use digest auth on a back end server and use a different host-path (the request path in the address bar in the browser) and the final path on the server, I couldn't figure it out - esp. with trac.
This directive on the proxy server:
RequestHeader edit Authorization uri="/dev([a-z\/]+)" uri="$1"
fixes this error on the authentication server:
Digest: uri mismatch - does not match request-uri
The error is caused by the fact that the browser uri is /dev/trac/login, whereas the server request-uri is /trac/login. The only thing that would fix this particular situation correctly is to rewrite the backend server-side request-uri during the digest processing stage. I have no idea how to do that.
In the end, I had to carry the /dev/ through to the authenticating back-end server like this:
RewriteCond %{REQUEST_URI} ^/dev/
RewriteCond %{REQUEST_URI} !^/dev/trac/login
RewriteRule ^/dev/(.*) http://dev-50/$1 [P]
RewriteCond %{REQUEST_URI} ^/dev/trac/login
RewriteRule ^/dev/trac/login(.*) http://dev-50/dev/trac/login$1 [P]
I feel like it should cause an infinite loop, but its not at the moment. Maybe if I do a hard restart of the back-end server. Update: it does cause an infinite loop:
Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /dev/trac/login. Reason: Max-Forwards has reached zero - proxy loop?
Luckily there is a way out:
RewriteCond %{HTTP:X-Forwarded-Host} !.+
RewriteCond %{REQUEST_URI} ^/dev/trac/login
RewriteRule ^/dev/trac/login(.*) http://dev-50/dev/trac/login$1 [L,P]
This says something like "if there is an X-Forwarded-Host, then don't proxy again". I think that could be problematic if requests from the public ip space contain this header. Therefore I'll evaluate some other headers, like X-Forwarded-For and check a list of designated addresses and hostnames.