httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: SSLUserName -> mod_auth_user
Date Wed, 23 Apr 2014 11:15:53 GMT
On Mon, Apr 21, 2014 at 12:38 PM, Graham Leggett <minfrin@sharp.fm> wrote:
> Hi all,
>
> Right now, we have the SSLUserName directive, which takes an arbitrary SSL variable and
turns it into a username for the benefit of the request. This has the downside that only SSL
variables (and some CGI variables) are usable as usernames, and it combines with FakeBasicAuth
to create undesirable side effects.
>
> What would be cleaner is if we deprecate SSLUserName and create a mod_auth_user.c module
that declares AuthType User, and then offers a AuthUser directive that sets the user based
on an arbitrary expression from ap_expr.h. This will make client certificates easier to work
with, and provide options for authentication that aren't based purely on logins, such as tokens
in URLs, etc.
>
> Thoughts?

As a user, I was using SSLUserName to determine identity. This worked
great when SSL termination happened on the same server as the
application, but when I terminated SSL on a reverse proxy and proxied
the request to a backend server, there was seemingly no way to fill
r->user on the backend, eg from a named header passed from the reverse
proxy.

I fixed this with a noddy module that did that - pulled the value of a
header and puts it into r->user.

It would be good if there is a default module that could support that also.

Cheers

Tom

Mime
View raw message