I have set up a reverse proxy (mod_proxy) on Apache 2.0.53 on SuSE Linux
9.3. The reverse proxy successfully handles basic authentication and
then forwards to the protected web server. The authentication is handled
by mod_auth_ldap against a M$ Active Directory Server.
The user and password are transferred by standard apache functionality
in a http request header parameter called 'authorization'. The value of
the parameter looks something like this: 'Basic WErwSrweW4Dsaf3_'. The
first means basic authentication, the latter is '<userid>:<password>' in
a Base64-encoded format. I trust the authentication on Apache and would
like to remove this unencrypted password, so that only the userid is
transferred to the web server. It is a security issue not to disclose
the password to anyone behind the reverse proxy.
Is there any configuration where this can be set?
In case it cannot be configured: Which module of apache handles setting
the authorization header? I did not find anything in the 2.0 sources
(mod_proxy.c; mod_proxy_util.c; mod_proxy_http.c;mod_auth_ldap.c....).
Are there useful changes with Apache 2.2?
Hayo Schmidt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
