Reverse proxying from Apache to Tomcat and Basic Authentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Reverse proxying from Apache to Tomcat and Basic Authentication

Ezio Paglia
Hi all.

I think that an architecture based on an Apache as front-end and one or
more Tomcat's as back ends is quite common.

Reverse proxying from Apache to Tomcat works, and it still works if we
let Tomcat to provide some authentication and authorization feature
(i.e. via ldap).

Yet I'd like to have authentication (and even authorization) on Apache,
I think it would be more correct. So I tried to study the problem,
having some locations of the Apache protected by a Basic Authentication
and proxy-passed to Tomcat. I expected the Tomcat to preserve the
REMOTE_USER (or HTTP_REMOTE_USER ? ) variable received by Apache. It
does not work.

Do you know how can Tomcat force an environmental variable (coming from
Apache via reverse proxy) into its REMOTE_USER, after recognizing the
REMOTE_ADDR of the federate Apache and without being open to attacks ?

Thanks in advance.
Ciao.
Yours Ezio.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]