Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Webauth redirect loop as destination for proxypass

Russ Allbery eagle at windlord.stanford.edu
Wed Jun 1 17:00:57 PDT 2011


Fletcher Cocquyt <fcocquyt at stanford.edu> writes:

> Hi ­ the mod_webauth docs mention webauthing the proxy location and
> passing the webauth user variable.  One of our developers is attempting
> to do the webauth on the destination side and we are seeing an redirect
> loop with this type of config ­ is this supported?  If so, what is the
> recommended config to not cause redirect loops?

You have to do WebAuth in one place or the other.  If you do WebAuth on
the proxy destination host, it will attempt to redirect the user to
WebLogin and then back to its own internal concept of its URL to do actual
WebAuth authentication.  Usually this means that it will "undo" your
proxy, but if the server thinks its URL is actually the URL of a separate
proxy server that is itself doing WebAuth, it's going to create an
infinite loop.

If you do WebAuth authentication on the server doing the proxying, then it
should complete the authentication and pass that information via some
mechanism like an HTTP header, and the destination host should read that
header rather than trying to do WebAuth.

mod_webauth itself doesn't have any mechanism for turning the HTTP header
into a REMOTE_USER authentication identity from the Apache perspective.
The suggestion about how to handle proxies is intended for proxying to
servers that cannot do WebAuth; it's always better to go directly to the
WebAuth-enabled server where possible.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University



More information about the webauth-info mailing list