HTTP 401 Unauthorized only sent back after full POST request is read.
For IE 11 at least, sending back the 401 after the request headers will cause it to stop trying to upload the (potentially very large) post body when HTTP authorization is required.
It'd be great if lighttpd could send back the 401 without the browser sending the full file, only to send it again with the Authorization header on the second try.
defer reading request body until handle subrequest (fixes #2541)
read request body right before calling subrequest handler,
allowing request to be handled prior to reading request body,
e.g. to send 401 Unauthorized response when authentication is required
(In the future, this might move into each dynamic handler which supports
request body (mod_cgi, mod_fastcgi, mod_proxy, mod_scgi, mod_webdav) so
that each dynamic handler can choose whether or not to buffer request
body or to stream request body to backend as request body is received.)
keep-alive is disabled if request body has not been completely read
prior to sending response
"HTTP 401 Unauthorized only sent back after full POST request is read"
Also available in: Atom