I run an authenticating reverse proxy for a web-app that we outsource to another company. So the process goes:
C=client; P=proxy; S=origin server 1 C->P: GET / (no auth) 2 P->C: 401 Auth required 3 C->P: GET / (gives auth) 4 P->S: GET / 5 S->P: stuff 6 P->C: stuff Works very nicely (thanks!) However, as a matter of principle, we don't trust S with our usernames and passwords. The problem is that they get sent in the headers in stage 4 above. There's some comment in mod_proxy.c:764 that mentions filtering out proxy authorization headers; I'm proposing to do as it suggests: patch auth_basic.c and auth_digest.c to remove matching auth and proxy-auth headers from the request object. However, I'm concerned that this approach may upset authentication within subrequests; can anyone confirm or deny this? Before I dive in and code this, are there any other possible problems or better approaches? Thanks. -- BISCAY NORTHWEST 4 OR 5, OCCASIONALLY 6 AT FIRST, BACKING WEST 3 OR 4. THUNDERY SHOWERS THEN RAIN. MODERATE OR GOOD