httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] reverse proxy with 2 level basic authentication
Date Fri, 03 Jun 2005 06:33:04 GMT
> -----Original Message-----
> From: Rob Baxter []
> Sent: Donnerstag, 2. Juni 2005 23:34
> To:
> Subject: [users@httpd] reverse proxy with 2 level basic authentication
> I have inherited a probject where I am trying to configure 
> Apache2 to be 
> a reverse proxy to an Exchange Server with Outlook Web Access/Outlook 
> Mobile Access. The security requirements dictate that there 
> be 2 layers 
> of authentication. First the use must authenticate to the 
> proxy and then 
> to the Exchange server. The proxy is using basic 
> authentication and for 
> normal web browsers this setup is working fine as the OWA is using 
> Windows Forms Authentication.
> The problem is that aparently the PDAs this organization is 
> using don't 
> have a browser that plays nice with Windows Forms so I was asked to 
> configure the proxy to support another layer of basic authentication. 
> However, I don't see how this is going to work. What I am 
> seeing now is 
> that the proxy is passing the crendentials for the first 
> layer (itself) 
> to the Excahnge server even though the browser does correctly prompt  
> you for two different sets of credentials. 

What's really happening is the following:

- browser requests URL 
- docroot is protected so proxy responds 401
- browser prompts for credentials, resends request with creds.
- proxy receives request, sees it's for back-end server
- proxy sends request to back-end
- back-end responds 401
- proxy sends 401 to browser
- browser prompts again

... now it all goes pear-shaped. The browser got a 401 back the first time it tried to contact
the server so it now thinks that everything on that server is part of the realm and will require
credentials. So it sends the first login creds with every subsequent request. Now it finds
it gets a second 401! The HTTP protocol only supports a single layer of basic authentication
so the browser no longer knows which realm the password refers to. 

Usually this happens when people try to nest realms, eg:

<Location /secret>
  AuthName "secret place"

<Location /secret/really>
  AuthName "really secret place"

The browser attaches the first creds to the path /secret. So when the user requests /secret/really,
the browser is baffled - it's still under /secret so should get the first creds, so it can't
understand why it gets a 401. Even if it sends the second creds with the request, the server
might not let it through the first Location block. The results are usually browser and server

Returning to your problem, a solution would be to implement session-based authentication on
the proxy (ie, a CGI form and give the browser a cookie) and then leave the basic auth on
the backend. Session handling is not trivial but there are many off-the-shelf applications
in perl, PHP etc that would do the trick.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> I'd really 
> appreciate it if 
> someone could tell me if what I am trying to do is even 
> possible of if I 
> am wasting my time. Thanks in advance.
> </rob>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>    "   from the digest:
> For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message