You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2003/10/22 22:29:54 UTC

[users@httpd] Re: {SPAM 03.1} [users@httpd] mod_proxy: problem with basic auth to backend server

On Tue, 21 Oct 2003 Frederik.Dahlke@ruv.de wrote:
> ProxyPass /test http://user:pass@restriced.server.com
> ProxyPassReverse /test http://user:pass@restriced.server.com

Putting user/pass in the URL is a browser hack.  The apache proxy won't
support it.

But this really shouldn't be necessary.  You can use IP-based restrictions
to allow any request from the proxy's IP address.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] mod_proxy: problem with basic auth to backend server

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Oct 2003, Robert Andersson wrote:
> Yet, I am reluctant to call it a browser hack, as it is seems valid in an
> absolute URI, while it is the client's responsibility to parse and translate
> it for the scheme at hand.

Perhaps browser "hack" is a little strong.  But it is something that must
be resolved at the browser.  Since mod_proxy is acting as a client, it
could theoretically do that resolution.  But I can't imagine any real
situations were it would be useful.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 03.1} [users@httpd] mod_proxy: problem with basic auth to backend server

Posted by Robert Andersson <ro...@profundis.nu>.

Joshua Slive wrote:
> > I used to think so myself, but it is indeed "defined" in RFC 2396:
>
> RFC2396 defines the general format for the URI.  How it is applied to HTTP
> is defined in RFC 2616.

I stand corrected. I see now that it was a somewhat hasty conclusion,
triggered by someone (on this list, I think), claiming successful use of the
http://user:pass@host/ format in a Location header, and a quick (and
incomplete) glance at RFC 2616 where it said it "adopts the definitions of
[...] 'absoluteURI' [...] from [RFC 2396]".

If I would have bothered reading the following section, 3.2.2 http URL, I
would have found:

   http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

Which, obviously, does not include any userinfo part.

Yet, I am reluctant to call it a browser hack, as it is seems valid in an
absolute URI, while it is the client's responsibility to parse and translate
it for the scheme at hand.

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 03.1} [users@httpd] mod_proxy: problem with basic auth to backend server

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 23 Oct 2003, Robert Andersson wrote:

> Joshua Slive wrote:
> > Putting user/pass in the URL is a browser hack.  The apache proxy won't
> > support it.
>
> I used to think so myself, but it is indeed "defined" in RFC 2396:

RFC2396 defines the general format for the URI.  How it is applied to HTTP
is defined in RFC 2616.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 03.1} [users@httpd] mod_proxy: problem with basic auth to backend server

Posted by Robert Andersson <ro...@profundis.nu>.

Joshua Slive wrote:
> Putting user/pass in the URL is a browser hack.  The apache proxy won't
> support it.

I used to think so myself, but it is indeed "defined" in RFC 2396:

absoluteURI   = scheme ":" ( hier_part | opaque_part )
hier_part     = ( net_path | abs_path ) [ "?" query ]
net_path      = "//" authority [ abs_path ]
authority     = server | reg_name
server        = [ [ userinfo "@" ] hostport ]
userinfo      = *( unreserved | escaped |
                   ";" | ":" | "&" | "=" | "+" | "$" | "," )

Granted, the format and semantics of userinfo isn't defined here.

This part is also included in the apr_uri_t structure, as the user and
password members, which in turn is used in the request_rec structure.
However, I am very sceptic about (ab)using this the way the OP wanted, as it
would introduce inconsistency.

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org