httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Authentication headers
Date Thu, 06 Jul 2006 20:46:40 GMT


On 07/06/2006 08:38 PM, Graham Leggett wrote:
> Andrew Stribblehill wrote:
> 
>> I run an authenticating reverse proxy for a web-app that we outsource
>> to another company. So the process goes:
>>
>> C=client; P=proxy; S=origin server
>>
>> 1 C->P: GET / (no auth)
>> 2 P->C: 401 Auth required
>> 3 C->P: GET / (gives auth)
>> 4  P->S: GET /
>> 5  S->P: stuff
>> 6 P->C: stuff
>>
>> Works very nicely (thanks!) However, as a matter of principle, we
>> don't trust S with our usernames and passwords. The problem is that
>> they get sent in the headers in stage 4 above.
>>
>> There's some comment in mod_proxy.c:764 that mentions filtering out
>> proxy authorization headers; I'm proposing to do as it suggests:
>> patch auth_basic.c and auth_digest.c to remove matching auth and
>> proxy-auth headers from the request object.
>>
>> However, I'm concerned that this approach may upset authentication
>> within subrequests; can anyone confirm or deny this?
> 
> 
> I would suggest making this a configurable option, with the default
> being the current behaviour.
> 
> This is something that could definitely use a definitive solution.

I think we already have something similar :-)

mod_headers

RequestHeader unset Authorization

should solve this in your case. It only does not provide an automation for
auth requests that come from the backend and thus should receive the Authorization
header.

Regards

RĂ¼diger



Mime
View raw message