httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [RFC] CGIPassHeader Authorization|Proxy-Authorization|...
Date Tue, 19 Aug 2014 12:06:58 GMT
On Mon, Aug 18, 2014 at 7:22 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> On 16 Aug 2014, at 10:16 PM, Jeff Trawick <trawick@gmail.com> wrote:
>
> > This core directive would be used to modify the processing of
> ap_add_common_vars() to pass through Authorization or Proxy-Authorization
> as HTTP_foo.  (Nothing else is currently blocked, so any other header name
> wouldn't make sense.)
> >
> > This directive would be configurable at the directory level, but not in
> htaccess.
> >
> > Various mods (mod_fastcgi, mod_fcgid, mod_wsgi, etc.) have ways to pass
> this information through; bug 56855 has a patch to add it to mod_proxy_fcgi
> too.  With that patch in place, at least mod_proxy_scgi in our tree still
> couldn't front an app that wants to handle Basic auth.  It would be good to
> consolidate over time the code/documentation around suppressing
> *Authorization.
> >
> > Some concerns: Processing it in ap_add_common_vars() is not finely
> scoped to natural users of the data; e.g., mod_include and mod_ext_filter
> would see it.  At the same time, not allowing it in htaccess may negate its
> usefulness in some environments.
> >
> > Thoughts?
>
> Would AuthBasicFake not help here?
>
> I use it to pass basic auth credentials back when certs are being used, so
> that a backend process has access to the username and a token password.
> This allows all sorts of control over the basic auth header, you can
> suppress the password while maintaining the username, etc.
>

[Maybe I'm missing the point but] AuthBasicFake is a good solution when
authnz can be carefully managed between httpd and the application.  Passing
through Authorization as-is is important for supporting applications that
are more independent of httpD processing/configuration and are largely
blind to the reverse proxy or "container" in which they run, either because
special configuration is impractical (domain hosting service) or it breaks
the ability of the application to be painlessly dropped into different
environments.



> Regards,
> Graham
> —
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message