Re: Authentication handlers in a proxy setting
> > It would be more logical to do the authentication on the front-end > server. Then, if the back-end server needs the result of the > authentication, you could add an appropriate HTTP header (with the > user-id and maybe more stuff) to the request, before proxying it to the > back-end. > The idea is that (supposedly) the communication between the front-end > and the back-end happens on a secure or private channel, so if the > back-end gets this header, it knows it comes from the front-end. > Getting the content of a request header is pretty light-weigth, so the > work to do on the back-end for AAA could be minimal, since it can > "believe" what the front-end tells it. > That makes sense, but the Apache documentation on server configuration suggests a very light-weight front end server with the heavy-weight perl server on the back end. It seems like a lot of overhead to have mod_perl on the front end purely for authentication; I might as well keep the monolithic configuration I have now. Thanks for the input, though, it helps clarify things. Dan
Re: Authentication handlers in a proxy setting
On Sun, Mar 28, 2010 at 3:41 PM, Dan Axtell wrote: > What I don't understand is what to do about static directories that want to > use the handlers via Directory directive, or via a local .htdocs file. Does > any such directory need to be forwarded to the dynamic server in order to then > call the handlers? To do access control for static files while still using your mod_perl auth handler, take a look at mod_auth_tkt or perlbal. - Perrin
Re: Authentication handlers in a proxy setting
On Mon, Mar 29, 2010 at 4:24 AM, Dan Axtell wrote: > server on the back end. It seems like a lot of overhead to have mod_perl on > the front end purely for authentication; I might as well keep the monolithic > configuration I have now. Thanks for the input, though, it helps clarify > things. It depends on the size of your httpd processes with mod_perl enabled. If you have handlers that don't load a lot of third party modules, you can get away with 10-20 meg mod_perl httpds. And a fair amount of that memory will be shared.
