apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Stribblehill <a.d.stribbleh...@durham.ac.uk>
Subject Authentication headers
Date Thu, 06 Jul 2006 13:36:23 GMT
I run an authenticating reverse proxy for a web-app that we outsource
to another company. So the process goes:

C=client; P=proxy; S=origin server

1 C->P: GET / (no auth)
2 P->C: 401 Auth required
3 C->P: GET / (gives auth)
4  P->S: GET /
5  S->P: stuff
6 P->C: stuff

Works very nicely (thanks!) However, as a matter of principle, we
don't trust S with our usernames and passwords. The problem is that
they get sent in the headers in stage 4 above.

There's some comment in mod_proxy.c:764 that mentions filtering out
proxy authorization headers; I'm proposing to do as it suggests:
patch auth_basic.c and auth_digest.c to remove matching auth and
proxy-auth headers from the request object.

However, I'm concerned that this approach may upset authentication
within subrequests; can anyone confirm or deny this?

Before I dive in and code this, are there any other possible problems
or better approaches?

Thanks.

-- 
BISCAY
NORTHWEST 4 OR 5, OCCASIONALLY 6 AT FIRST, BACKING WEST 3 OR 4.
THUNDERY SHOWERS THEN RAIN. MODERATE OR GOOD

Mime
View raw message