On Mon, Apr 21, 2014 at 12:38 PM, Graham Leggett <[email protected]> wrote: > Hi all, > > Right now, we have the SSLUserName directive, which takes an arbitrary SSL > variable and turns it into a username for the benefit of the request. This > has the downside that only SSL variables (and some CGI variables) are usable > as usernames, and it combines with FakeBasicAuth to create undesirable side > effects. > > What would be cleaner is if we deprecate SSLUserName and create a > mod_auth_user.c module that declares AuthType User, and then offers a > AuthUser directive that sets the user based on an arbitrary expression from > ap_expr.h. This will make client certificates easier to work with, and > provide options for authentication that aren't based purely on logins, such > as tokens in URLs, etc. > > Thoughts?
As a user, I was using SSLUserName to determine identity. This worked great when SSL termination happened on the same server as the application, but when I terminated SSL on a reverse proxy and proxied the request to a backend server, there was seemingly no way to fill r->user on the backend, eg from a named header passed from the reverse proxy. I fixed this with a noddy module that did that - pulled the value of a header and puts it into r->user. It would be good if there is a default module that could support that also. Cheers Tom
