Search Mailing List Archives
Webauth redirect loop as destination for proxypass
eagle at windlord.stanford.edu
Wed Jun 1 17:00:57 PDT 2011
Fletcher Cocquyt <fcocquyt at stanford.edu> writes:
> Hi the mod_webauth docs mention webauthing the proxy location and
> passing the webauth user variable. One of our developers is attempting
> to do the webauth on the destination side and we are seeing an redirect
> loop with this type of config is this supported? If so, what is the
> recommended config to not cause redirect loops?
You have to do WebAuth in one place or the other. If you do WebAuth on
the proxy destination host, it will attempt to redirect the user to
WebLogin and then back to its own internal concept of its URL to do actual
WebAuth authentication. Usually this means that it will "undo" your
proxy, but if the server thinks its URL is actually the URL of a separate
proxy server that is itself doing WebAuth, it's going to create an
If you do WebAuth authentication on the server doing the proxying, then it
should complete the authentication and pass that information via some
mechanism like an HTTP header, and the destination host should read that
header rather than trying to do WebAuth.
mod_webauth itself doesn't have any mechanism for turning the HTTP header
into a REMOTE_USER authentication identity from the Apache perspective.
The suggestion about how to handle proxies is intended for proxying to
servers that cannot do WebAuth; it's always better to go directly to the
WebAuth-enabled server where possible.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
More information about the webauth-info