RE: [users@httpd] reverse proxy with 2 level basic authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Rob Baxter [mailto:rbaxter@xxxxxxxxxxx]
> Sent: Donnerstag, 2. Juni 2005 23:34
> To: users@xxxxxxxxxxxxxxxx
> Subject: [users@httpd] reverse proxy with 2 level basic authentication
> 
> 
> I have inherited a probject where I am trying to configure 
> Apache2 to be 
> a reverse proxy to an Exchange Server with Outlook Web Access/Outlook 
> Mobile Access. The security requirements dictate that there 
> be 2 layers 
> of authentication. First the use must authenticate to the 
> proxy and then 
> to the Exchange server. The proxy is using basic 
> authentication and for 
> normal web browsers this setup is working fine as the OWA is using 
> Windows Forms Authentication.
> 
> The problem is that aparently the PDAs this organization is 
> using don't 
> have a browser that plays nice with Windows Forms so I was asked to 
> configure the proxy to support another layer of basic authentication. 
> However, I don't see how this is going to work. What I am 
> seeing now is 
> that the proxy is passing the crendentials for the first 
> layer (itself) 
> to the Excahnge server even though the browser does correctly prompt  
> you for two different sets of credentials. 

What's really happening is the following:

- browser requests URL 
- docroot is protected so proxy responds 401
- browser prompts for credentials, resends request with creds.
- proxy receives request, sees it's for back-end server
- proxy sends request to back-end
- back-end responds 401
- proxy sends 401 to browser
- browser prompts again

... now it all goes pear-shaped. The browser got a 401 back the first time it tried to contact the server so it now thinks that everything on that server is part of the realm and will require credentials. So it sends the first login creds with every subsequent request. Now it finds it gets a second 401! The HTTP protocol only supports a single layer of basic authentication so the browser no longer knows which realm the password refers to. 

Usually this happens when people try to nest realms, eg:

<Location /secret>
  AuthName "secret place"
  etc...
</Location>

<Location /secret/really>
  AuthName "really secret place"
  etc...
</Location>

The browser attaches the first creds to the path /secret. So when the user requests /secret/really, the browser is baffled - it's still under /secret so should get the first creds, so it can't understand why it gets a 401. Even if it sends the second creds with the request, the server might not let it through the first Location block. The results are usually browser and server dependent...

Returning to your problem, a solution would be to implement session-based authentication on the proxy (ie, a CGI form and give the browser a cookie) and then leave the basic auth on the backend. Session handling is not trivial but there are many off-the-shelf applications in perl, PHP etc that would do the trick.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 



> I'd really 
> appreciate it if 
> someone could tell me if what I am trying to do is even 
> possible of if I 
> am wasting my time. Thanks in advance.
> 
> </rob>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux