state management/nginx machinery - there's a fair amount of painful parsing code devoted to unpacking the key/value fields in the Authorize header. i have to believe i'm just unaware of an nginx built-in of some sort that will do this part for me. however the docs only led me to a string-level representation of the header. - there should be a directive letting you specify that only particular users in a realm may log in. how to handle wildcards though; maybe "*" or "any"? "_" or "none"? rfc 2617 - currently lacks backward compatibility with clients that don't provide `qop' fields in the Authorize header. according to the rfc the server should work without it, but is it worth supporting the less secure version of an already not-bulletproof authentication scheme? - should the 401 response also offer a basic auth option if that module is also enabled for a given location block? is there a way for one module to read another's config to detect the overlap? or is this a module-loading-order issue (c.f., the way the fancy_index module inserts itself before the built-in autoindex module in its HTTP_MODULES config var)? - the opaque field is not used when generating challenges, nor is it validated when included in an authentication request. is this a significant omission? the spec makes it seem as though it only exists as a convenience to stash state in, but i could believe some software out there depends upon it... - apparently (older?) versions of internet explorer don't obey the spec when dealing with paths that contain a query string. the client should include the query in the url used to compute the digest, but IE truncates it at the question mark. see ‘current browser issues’ comment here for details: http://www.xiven.com/sourcecode/digestauthentication.php general (in)security - OOM conditions in the shm segment are not handled at all well at the moment leading to an easy DOS attack (presuming the shm size is set low enough to be exhaustible within the timeout + expire interval). Valid nonces are added to the shm and expired seconds or minutes later. Once the shm is full no new nonces can be remembered and all auth attempts will fail until enough space has been claimed through expiration. Resizing the shm at runtime is somewhat daunting so for the moment the ‘solution’ is to make sure the shm size is at the upper end of the number of requests nginx could plausibly serve within the expiration interval.