The user and password are transferred by standard apache functionality in a http request header parameter called 'authorization'. The value of the parameter looks something like this: 'Basic WErwSrweW4Dsaf3_'. The first means basic authentication, the latter is '<userid>:<password>' in a Base64-encoded format. I trust the authentication on Apache and would like to remove this unencrypted password, so that only the userid is transferred to the web server. It is a security issue not to disclose the password to anyone behind the reverse proxy.
Is there any configuration where this can be set?In case it cannot be configured: Which module of apache handles setting the authorization header? I did not find anything in the 2.0 sources (mod_proxy.c; mod_proxy_util.c; mod_proxy_http.c;mod_auth_ldap.c....). Are there useful changes with Apache 2.2?
Hayo Schmidt --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|