Authentication headers

[Andrew Stribblehill <a....@durham.ac.uk>]

I run an authenticating reverse proxy for a web-app that we outsource
to another company. So the process goes:

C=client; P=proxy; S=origin server

1 C->P: GET / (no auth)
2 P->C: 401 Auth required
3 C->P: GET / (gives auth)
4  P->S: GET /
5  S->P: stuff
6 P->C: stuff

Works very nicely (thanks!) However, as a matter of principle, we
don't trust S with our usernames and passwords. The problem is that
they get sent in the headers in stage 4 above.

There's some comment in mod_proxy.c:764 that mentions filtering out
proxy authorization headers; I'm proposing to do as it suggests:
patch auth_basic.c and auth_digest.c to remove matching auth and
proxy-auth headers from the request object.

However, I'm concerned that this approach may upset authentication
within subrequests; can anyone confirm or deny this?

Before I dive in and code this, are there any other possible problems
or better approaches?

Thanks.

-- 
BISCAY
NORTHWEST 4 OR 5, OCCASIONALLY 6 AT FIRST, BACKING WEST 3 OR 4.
THUNDERY SHOWERS THEN RAIN. MODERATE OR GOOD

Re: Authentication headers

[Ruediger Pluem <rp...@apache.org>]

On 07/06/2006 08:38 PM, Graham Leggett wrote:
> Andrew Stribblehill wrote:
> 
>> I run an authenticating reverse proxy for a web-app that we outsource
>> to another company. So the process goes:
>>
>> C=client; P=proxy; S=origin server
>>
>> 1 C->P: GET / (no auth)
>> 2 P->C: 401 Auth required
>> 3 C->P: GET / (gives auth)
>> 4  P->S: GET /
>> 5  S->P: stuff
>> 6 P->C: stuff
>>
>> Works very nicely (thanks!) However, as a matter of principle, we
>> don't trust S with our usernames and passwords. The problem is that
>> they get sent in the headers in stage 4 above.
>>
>> There's some comment in mod_proxy.c:764 that mentions filtering out
>> proxy authorization headers; I'm proposing to do as it suggests:
>> patch auth_basic.c and auth_digest.c to remove matching auth and
>> proxy-auth headers from the request object.
>>
>> However, I'm concerned that this approach may upset authentication
>> within subrequests; can anyone confirm or deny this?
> 
> 
> I would suggest making this a configurable option, with the default
> being the current behaviour.
> 
> This is something that could definitely use a definitive solution.

I think we already have something similar :-)

mod_headers

RequestHeader unset Authorization

should solve this in your case. It only does not provide an automation for
auth requests that come from the backend and thus should receive the Authorization
header.

Regards

Rüdiger

Re: Authentication headers

[Graham Leggett <mi...@sharp.fm>]

Andrew Stribblehill wrote:

> I run an authenticating reverse proxy for a web-app that we outsource
> to another company. So the process goes:
> 
> C=client; P=proxy; S=origin server
> 
> 1 C->P: GET / (no auth)
> 2 P->C: 401 Auth required
> 3 C->P: GET / (gives auth)
> 4  P->S: GET /
> 5  S->P: stuff
> 6 P->C: stuff
> 
> Works very nicely (thanks!) However, as a matter of principle, we
> don't trust S with our usernames and passwords. The problem is that
> they get sent in the headers in stage 4 above.
> 
> There's some comment in mod_proxy.c:764 that mentions filtering out
> proxy authorization headers; I'm proposing to do as it suggests:
> patch auth_basic.c and auth_digest.c to remove matching auth and
> proxy-auth headers from the request object.
> 
> However, I'm concerned that this approach may upset authentication
> within subrequests; can anyone confirm or deny this?

I would suggest making this a configurable option, with the default 
being the current behaviour.

This is something that could definitely use a definitive solution.

Regards,
Graham
--