httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Authentication headers
Date Thu, 06 Jul 2006 18:38:35 GMT
Andrew Stribblehill wrote:

> I run an authenticating reverse proxy for a web-app that we outsource
> to another company. So the process goes:
> 
> C=client; P=proxy; S=origin server
> 
> 1 C->P: GET / (no auth)
> 2 P->C: 401 Auth required
> 3 C->P: GET / (gives auth)
> 4  P->S: GET /
> 5  S->P: stuff
> 6 P->C: stuff
> 
> Works very nicely (thanks!) However, as a matter of principle, we
> don't trust S with our usernames and passwords. The problem is that
> they get sent in the headers in stage 4 above.
> 
> There's some comment in mod_proxy.c:764 that mentions filtering out
> proxy authorization headers; I'm proposing to do as it suggests:
> patch auth_basic.c and auth_digest.c to remove matching auth and
> proxy-auth headers from the request object.
> 
> However, I'm concerned that this approach may upset authentication
> within subrequests; can anyone confirm or deny this?

I would suggest making this a configurable option, with the default 
being the current behaviour.

This is something that could definitely use a definitive solution.

Regards,
Graham
--

Mime
View raw message