httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bud P. Bruegger" <...@comune.grosseto.it>
Subject [users@httpd] authenticating reverse proxy
Date Fri, 08 Apr 2005 15:14:20 GMT
I am seeking advice on how to configure an Apache 2 reverse proxy that 
handles authentication for a numer of http servers behind it.  So far, I 
managed to set up a reverse proxy that handles authentication (currently 
http basic for testing, later X.509 and combinations).

What I have problems with is how to propagate authentication information 
(REMOTE_USER, AUTH_TYPE, and possibly some SSL specific data) to the httpd 
that is "protected" by the reverse proxy.  Ideally, I would like a setup in 
which the http/application server behind the proxy behaves as if it had 
performed HTTP Basic Authentication itself.  This way, any kind of dynamic 
application (cgi, php, tomcat, zope, twisted, etc.) would be able to use 
its standard authentication APIs.  Ideally, I would like to find an 
approach that works with various kinds of http daemons or at least one that 
requires only simple interventions on the httpds (i.e., better 
configuration than a custom module that has to be written for any type of 
httpd).

I have made initial experiments using RequestHeader (from mod-headers) to 
propagate the info.  But I currently don't manage to access the REMOTE_USER 
environment variable on the proxy (RequestHeader add PropagatedRemoteUser 
"%{REMOTE_USER}e" fails to propagate any value).  Also, I don't know 
whether it is possible to use mod-headers  on the "protected" httpd 
(assuming it is Apache) to copy this propagated value to REMOTE_USER.  But 
probably there are better approaches in the first place.

many thanks in advance for any input and guidance

kind regards

-bud




-------------------------------------------------------------------------------------------------
Ing. Bud P. Bruegger, Ph.D.                 +39-0564-488577 
(voice),  -21139 (fax)
Servizio Elaborazione Dati                    e-mail:  bud@comune.grosseto.it
Comune di 
Grosseto                            http://www.comune.grosseto.it/cie/
Via Ginori, 
43                                      http://OpenPortalGuard.sf.net
58100 Grosseto (Tuscany, Italy)           jabber:  bud@amessage.info

Free Software in Public Administration:  not just a good idea, but a necessity

Perfection is attained, not when there is nothing more to be added, but 
when there is nothing more to be taken away -- Antoine de Saint-Exupery 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message