You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Ralf S. Engelschall" <rs...@engelschall.com> on 1998/06/10 16:32:11 UTC
Faking auth with proxypass? (FWD)
Please send to S.J.Hogeveen@phys.uu.nl when you have more ideas.
--------------------------------
On Wed, Jun 10, 1998, Sake Hogeveen S.J.Hogeveen@phys.uu.nl> wrote:
> I would like to make an electronic journal, served to the Web by
> a publisher, "part" of our library web server, by using the Apache
> ProxyPass option.
>
> The publisher's server is password protected (you have to pay your
> subscription). The faculty has payed for its subscription, and I
> want to serve the journal to our scientists (on the faculty intranet)
> without bothering them with access authorization.
>
> I would like to add the Authorization information to the header of
> a request as it passes through our Apache proxy/server, before it is
> being passed on to the publisher's web site. I have a feeling that with
> all the options of Apache this should be possible. However, I haven't
> been able to figure out how yet.
>
> Could you help me solve this problem?
I've no ready solution at hand but perhaps mod_headers can be used inside a
<Location> section to fake the auth headers. I'll forward your mail to the
other Apache developers. Perhaps someone already knows the solution.
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com
--------------------------------
Re: Faking auth with proxypass? (FWD)
Posted by Ben Laurie <be...@algroup.co.uk>.
Ralf S. Engelschall wrote:
>
> Please send to S.J.Hogeveen@phys.uu.nl when you have more ideas.
>
> --------------------------------
> On Wed, Jun 10, 1998, Sake Hogeveen S.J.Hogeveen@phys.uu.nl> wrote:
>
> > I would like to make an electronic journal, served to the Web by
> > a publisher, "part" of our library web server, by using the Apache
> > ProxyPass option.
> >
> > The publisher's server is password protected (you have to pay your
> > subscription). The faculty has payed for its subscription, and I
> > want to serve the journal to our scientists (on the faculty intranet)
> > without bothering them with access authorization.
> >
> > I would like to add the Authorization information to the header of
> > a request as it passes through our Apache proxy/server, before it is
> > being passed on to the publisher's web site. I have a feeling that with
> > all the options of Apache this should be possible. However, I haven't
> > been able to figure out how yet.
> >
> > Could you help me solve this problem?
>
> I've no ready solution at hand but perhaps mod_headers can be used inside a
> <Location> section to fake the auth headers. I'll forward your mail to the
> other Apache developers. Perhaps someone already knows the solution.
What wrong with:
Satisfy any
allow from <address of proxy>
in the config of the real server, not the proxy, of course??
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Re: Faking auth with proxypass? (FWD)
Posted by Alvaro Martinez Echevarria <al...@lander.es>.
Hi there.
On Wed, 10 Jun 1998, Dirk-Willem van Gulik wrote:
> Of course the 'real' solution is to inform the publisher; and have
> her use 'satisfy any' with an 'allow from ip-range/proxy' combined with
> the 'username/passwd' checking. That also fits better with the payment
> model exercised by the publisher.
> Dw.
Well, that's not a realistic solution in most situations. You
can't go and ask another company to change their server
configuration. Also there are companies out there offering
information access services though non-standard authentication
methods, say a FORM/CGI and a session cookie. I know well this
scenario: several months ago I implemented a solution for this
problem using Apache 1.2.X, for a large corporation that wanted
to grant to some of their employees access to several huge web
databases (actually, some of their users, but not all).
Firt, I had to program a proxy auth module for 1.2.X, and to do
it cleanly I had to add a new phase to request handling. I did it
that way to allow Apache to perform simultaneous proxy and server
authentication, something impossible under the actual scheme, but
that could be necessary given that apache can act as both a proxy
and an origin server. In fact I wanted the modified server to
_always_ authenticate as a proxy, even for accesses to the local
server, because that way I could use that authentication info (as
a new CGI environment variable, "REMOTE_PROXY_USER") in several CGIs
that were used to control the behaviour of the system.
I also had to program some extra stuff to support the different
authentication methods that could be found: several CGIs (one of
them, for example, could do POSTs to the remote servers to
accomplish the needed authentication), and an authentication
translation module (which replaced the mandatory internal proxy
authentication headers for the correct external auth info).
In your particular case, I don't know if the solution Ralf
proposed would work ("Header" into "<Location>" section), but it
would be very easy to program a tiny module doing exactly what
you want. It could look like this in the config:
<Location http://www.whatever.com/>
SetBasicAuth "myuser" "mypassword"
</Location>
Hope this helps.
Regards.
[PS: for the developers list: maybe this could be a nice feature
to add in the future, although probably in a more complex and
useful way; any thoughts about it? And by the way, for 2.0 I'd
love to see a separate phase for proxy auth. I guess that's a
matter for a different discussion]
.------------------------------------------------------------------.
| Alvaro Martínez Echevarría | LANDER SISTEMAS |
| alvaro@lander.es | Pº Castellana, 121 |
`--------------------------------| 28046 Madrid, SPAIN |
| Tel: +34-91-5562883 |
| Fax: +34-91-5563001 |
`---------------------------------'
>
> On Wed, 10 Jun 1998, Ralf S. Engelschall wrote:
>
> >
> > Please send to S.J.Hogeveen@phys.uu.nl when you have more ideas.
> >
> > --------------------------------
> > On Wed, Jun 10, 1998, Sake Hogeveen S.J.Hogeveen@phys.uu.nl> wrote:
> >
> > > I would like to make an electronic journal, served to the Web by
> > > a publisher, "part" of our library web server, by using the Apache
> > > ProxyPass option.
> > >
> > > The publisher's server is password protected (you have to pay your
> > > subscription). The faculty has payed for its subscription, and I
> > > want to serve the journal to our scientists (on the faculty intranet)
> > > without bothering them with access authorization.
> > >
> > > I would like to add the Authorization information to the header of
> > > a request as it passes through our Apache proxy/server, before it is
> > > being passed on to the publisher's web site. I have a feeling that with
> > > all the options of Apache this should be possible. However, I haven't
> > > been able to figure out how yet.
> > >
> > > Could you help me solve this problem?
> >
> > I've no ready solution at hand but perhaps mod_headers can be used inside a
> > <Location> section to fake the auth headers. I'll forward your mail to the
> > other Apache developers. Perhaps someone already knows the solution.
> >
> > Ralf S. Engelschall
> > rse@engelschall.com
> > www.engelschall.com
> > --------------------------------
> >
>
>
Re: Faking auth with proxypass? (FWD)
Posted by Alvaro Martinez Echevarria <al...@lander.es>.
Hi there.
On Wed, 10 Jun 1998, Dirk-Willem van Gulik wrote:
> Of course the 'real' solution is to inform the publisher; and have
> her use 'satisfy any' with an 'allow from ip-range/proxy' combined with
> the 'username/passwd' checking. That also fits better with the payment
> model exercised by the publisher.
> Dw.
Well, that's not a realistic solution in most situations. You
can't go and ask another company to change their server
configuration. Also there are companies out there offering
information access services though non-standard authentication
methods, say a FORM/CGI and a session cookie. I know well this
scenario: several months ago I implemented a solution for this
problem using Apache 1.2.X, for a large corporation that wanted
to grant to some of their employees access to several huge web
databases (actually, some of their users, but not all).
Firt, I had to program a proxy auth module for 1.2.X, and to do
it cleanly I had to add a new phase to request handling. I did it
that way to allow Apache to perform simultaneous proxy and server
authentication, something impossible under the actual scheme, but
that could be necessary given that apache can act as both a proxy
and an origin server. In fact I wanted the modified server to
_always_ authenticate as a proxy, even for accesses to the local
server, because that way I could use that authentication info (as
a new CGI environment variable, "REMOTE_PROXY_USER") in several CGIs
that were used to control the behaviour of the system.
I also had to program some extra stuff to support the different
authentication methods that could be found: several CGIs (one of
them, for example, could do POSTs to the remote servers to
accomplish the needed authentication), and an authentication
translation module (which replaced the mandatory internal proxy
authentication headers for the correct external auth info).
In your particular case, I don't know if the solution Ralf
proposed would work ("Header" into "<Location>" section), but it
would be very easy to program a tiny module doing exactly what
you want. It could look like this in the config:
<Location http://www.whatever.com/>
SetBasicAuth "myuser" "mypassword"
</Location>
Hope this helps.
Regards.
[PS: for the developers list: maybe this could be a nice feature
to add in the future, although probably in a more complex and
useful way; any thoughts about it? And by the way, for 2.0 I'd
love to see a separate phase for proxy auth. I guess that's a
matter for a different discussion]
.------------------------------------------------------------------.
| Alvaro Martínez Echevarría | LANDER SISTEMAS |
| alvaro@lander.es | Pº Castellana, 121 |
`--------------------------------| 28046 Madrid, SPAIN |
| Tel: +34-91-5562883 |
| Fax: +34-91-5563001 |
`---------------------------------'
>
> On Wed, 10 Jun 1998, Ralf S. Engelschall wrote:
>
> >
> > Please send to S.J.Hogeveen@phys.uu.nl when you have more ideas.
> >
> > --------------------------------
> > On Wed, Jun 10, 1998, Sake Hogeveen S.J.Hogeveen@phys.uu.nl> wrote:
> >
> > > I would like to make an electronic journal, served to the Web by
> > > a publisher, "part" of our library web server, by using the Apache
> > > ProxyPass option.
> > >
> > > The publisher's server is password protected (you have to pay your
> > > subscription). The faculty has payed for its subscription, and I
> > > want to serve the journal to our scientists (on the faculty intranet)
> > > without bothering them with access authorization.
> > >
> > > I would like to add the Authorization information to the header of
> > > a request as it passes through our Apache proxy/server, before it is
> > > being passed on to the publisher's web site. I have a feeling that with
> > > all the options of Apache this should be possible. However, I haven't
> > > been able to figure out how yet.
> > >
> > > Could you help me solve this problem?
> >
> > I've no ready solution at hand but perhaps mod_headers can be used inside a
> > <Location> section to fake the auth headers. I'll forward your mail to the
> > other Apache developers. Perhaps someone already knows the solution.
> >
> > Ralf S. Engelschall
> > rse@engelschall.com
> > www.engelschall.com
> > --------------------------------
> >
>
>
Re: Faking auth with proxypass? (FWD)
Posted by Dirk-Willem van Gulik <di...@jrc.it>.
Of course the 'real' solution is to inform the publisher; and have
her use 'satisfy any' with an 'allow from ip-range/proxy' combined with
the 'username/passwd' checking. That also fits better with the payment
model exercised by the publisher.
Dw.
On Wed, 10 Jun 1998, Ralf S. Engelschall wrote:
>
> Please send to S.J.Hogeveen@phys.uu.nl when you have more ideas.
>
> --------------------------------
> On Wed, Jun 10, 1998, Sake Hogeveen S.J.Hogeveen@phys.uu.nl> wrote:
>
> > I would like to make an electronic journal, served to the Web by
> > a publisher, "part" of our library web server, by using the Apache
> > ProxyPass option.
> >
> > The publisher's server is password protected (you have to pay your
> > subscription). The faculty has payed for its subscription, and I
> > want to serve the journal to our scientists (on the faculty intranet)
> > without bothering them with access authorization.
> >
> > I would like to add the Authorization information to the header of
> > a request as it passes through our Apache proxy/server, before it is
> > being passed on to the publisher's web site. I have a feeling that with
> > all the options of Apache this should be possible. However, I haven't
> > been able to figure out how yet.
> >
> > Could you help me solve this problem?
>
> I've no ready solution at hand but perhaps mod_headers can be used inside a
> <Location> section to fake the auth headers. I'll forward your mail to the
> other Apache developers. Perhaps someone already knows the solution.
>
> Ralf S. Engelschall
> rse@engelschall.com
> www.engelschall.com
> --------------------------------
>