嵌套 HTTP 基本身份验证?
有没有办法在 REST API 前面使用 http 基本身份验证进行反向代理,该 API 也使用具有不同用户名和密码的 http 基本身份验证?
如果重要的话,反向代理是 Apache。
最明显的解决方案似乎是让应用程序和代理使用不同的标头进行身份验证。
1) 例如,我可以向代理发送一个请求,如下所示:
GET /foo/1 HTTP/1.1
Authorization: proxyuserpasshere
X-Passthru-Authorization: restuserpasshere
然后代理将使用“Authorization”标头并(如果有效)将请求传递给底层 Web 应用程序,例如:(
GET /foo/1 HTTP/1.1
Authorization: restuserpasshere
其中值 ' restuserpasshere' 取自 'X-Passthru-Authorization' 标头)
有没有办法配置 Apache 使其工作?
2) 相反,我可以使用标准的“Authorization”标头作为代理,并使用自定义标头来进行应用程序的身份验证。因此,请求将如下所示:
GET /foo/1 HTTP/1.1
Authorization: proxyuserpasshere
X-Myapp-Authorization: restuserpasshere
这样做的缺点是我的应用程序现在已硬编码为使用“X-Myapp-Authorization”标头,而不是标准的 Authorization 标头。
有更好的方法解决这个问题吗?
Is there any way to have a reverse proxy using http basic Authentication in front of a REST API which also uses http basic Authentication with different username and passwords?
The reverse proxy is Apache, if it matters.
The most obvious solution seems to be to get the application and the proxy to use different headers for the authentication.
1) For example, I could send a request to the proxy like:
GET /foo/1 HTTP/1.1
Authorization: proxyuserpasshere
X-Passthru-Authorization: restuserpasshere
And then the proxy would consume the "Authorization" header and (if it were valid) pass on a request to the underlying web-app like:
GET /foo/1 HTTP/1.1
Authorization: restuserpasshere
(where the value 'restuserpasshere' was taken from the 'X-Passthru-Authorization' header)
Is there a way to configure Apache to make that work?
2) Conversely, I could use the standard "Authorization" header for the proxy, and use a custom header for my application's authentication. So the request would look like:
GET /foo/1 HTTP/1.1
Authorization: proxyuserpasshere
X-Myapp-Authorization: restuserpasshere
The drawback to this is that my app is now hardcoded to use the "X-Myapp-Authorization" header instead of the standard Authorization header.
Is there a better way around this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
未经测试,但我会尝试类似的操作:
我不知道是否允许
%{HTTP:x-HEADER}语法。您可能需要使用环境变量。请参阅:
http://httpd.apache.org/docs/2.2/mod/mod_headers .html
http://php.dzone.com/news/inserting-variable-headers-apa
Not tested, but I would try something like:
I don't know if
%{HTTP:x-HEADER}syntax is allowed. You may have to play with environment variables.See:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
http://php.dzone.com/news/inserting-variable-headers-apa