Andrew Stribblehill wrote:
I run an authenticating reverse proxy for a web-app that we outsource to another company. So the process goes:C=client; P=proxy; S=origin server 1 C->P: GET / (no auth) 2 P->C: 401 Auth required 3 C->P: GET / (gives auth) 4 P->S: GET / 5 S->P: stuff 6 P->C: stuff Works very nicely (thanks!) However, as a matter of principle, we don't trust S with our usernames and passwords. The problem is that they get sent in the headers in stage 4 above. There's some comment in mod_proxy.c:764 that mentions filtering out proxy authorization headers; I'm proposing to do as it suggests: patch auth_basic.c and auth_digest.c to remove matching auth and proxy-auth headers from the request object. However, I'm concerned that this approach may upset authentication within subrequests; can anyone confirm or deny this?
I would suggest making this a configurable option, with the default being the current behaviour.
This is something that could definitely use a definitive solution. Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
