The issue is observed when a guest user tries to access a page that requires authentication (such as a private course, for example) and the request contains HTTP_RANGE header. Regardless if the user is using a proxy or not, a '407 Proxy Authentication Required' error is returned to the browser instead of informing the visitor they need to login or redirecting them to the login page.
- Make sure you are not logged-in Moodle system.
- Modify your request to include any HTTP_RANGE header
- Visit a course that is not public and requires authentication
- Observe the 407 Proxy Authentication Required error being returned
This is happening because we have the following code added to lib/moodlelib.php, inside require_login() function body:
and later in the file, because $preventredirect is true, the code throws an exception instead of performing a redirect:
which is eventually catched by the error handler in lib/outputrenderers.php which returns the 407 error page, because it detects there is an HTTP_RANGE header in the request.
Even though the comment in lib/moodlelib.php suggests that there is already byteserving in progress, this is not really the case and the client should be able to handle redirects on that point (unless the response is returned with a 206 Partial Content code, in which case it cannot do a proper redirect). Tested with both Firefox and Chrome latest versions and both clients were able to pickup and execute the redirect with an HTTP_RANGE header in place.
A possible, easy solution to the problem would be to either remove the HTTP_RANGE 'if' in the lib/moodlelib.php file or modify it and check if it is an initial request (i.e. the value of HTTP_RANGE header starts with 0).