Lighttpd

Most HTTP clients rely on the HTTP server closing the connection after a failed authentication attempt. However, when using lighttpd to proxy requests in combination with HTTP authentication, a failed authentication attempt does not result in the connection being closed - it will simply wait server.max-write-idle seconds before being closed as the result of a socket timeout.

In a browser, this results in the page appearing to "hang" after an authentication failure (or on first access) for server.max-write-idle seconds, and then the login box is presented. If one presents valid login details, everything works with no further delays. Various programmatic HTTP client libraries have this issue too.

The problem occurs regardless of whether the requested URI is actually proxied; for example, protecting the local mod_status page has the same problem. However, this can at least be "worked around" by setting proxy.server = () for those URIs. Naturally, this workaround is not applicable for non-local URIs.

Just to be clear; without proxying, lighttpd closes the connection and everything is fine - it is only in the presence of proxying does this behaviour appear. One client that doesn't rely on this behaviour is GNU wget, just in case you test with that.

I am using 1.4.19 from Debian lenny, specifically 1.4.19-5.