httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hayo Schmidt <>
Subject [users@httpd] Authorization header without password for basic authentication on a reverse proxy
Date Thu, 09 Feb 2006 11:15:57 GMT
I have set up a reverse proxy (mod_proxy) on Apache 2.0.53 on SuSE Linux 
9.3. The reverse proxy successfully handles basic authentication and 
then forwards to the protected web server. The authentication is handled 
by mod_auth_ldap against a M$ Active Directory Server.

The user and password are transferred by standard apache functionality 
in a http request header parameter called 'authorization'. The value of 
the parameter looks something like this:  'Basic WErwSrweW4Dsaf3_'. The 
first means basic authentication, the latter is '<userid>:<password>' in 
a Base64-encoded format. I trust the authentication on Apache and would 
like to remove this unencrypted password, so that only the userid is 
transferred to the web server. It is a security issue not to disclose 
the password to anyone behind the reverse proxy.

Is there any configuration where this can be set?

In case it cannot be configured: Which module of apache handles setting 
the authorization header? I did not find anything in the 2.0 sources 
(mod_proxy.c; mod_proxy_util.c; mod_proxy_http.c;mod_auth_ldap.c....). 
Are there useful changes with Apache 2.2?

Hayo Schmidt

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message