httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject [RFC] CGIPassHeader Authorization|Proxy-Authorization|...
Date Sat, 16 Aug 2014 20:16:07 GMT
This core directive would be used to modify the processing of
ap_add_common_vars() to pass through Authorization or Proxy-Authorization
as HTTP_foo.  (Nothing else is currently blocked, so any other header name
wouldn't make sense.)

This directive would be configurable at the directory level, but not in
htaccess.

Various mods (mod_fastcgi, mod_fcgid, mod_wsgi, etc.) have ways to pass
this information through; bug 56855 has a patch to add it to mod_proxy_fcgi
too.  With that patch in place, at least mod_proxy_scgi in our tree still
couldn't front an app that wants to handle Basic auth.  It would be good to
consolidate over time the code/documentation around suppressing
*Authorization.

Some concerns: Processing it in ap_add_common_vars() is not finely scoped
to natural users of the data; e.g., mod_include and mod_ext_filter would
see it.  At the same time, not allowing it in htaccess may negate its
usefulness in some environments.

Thoughts?

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message