On 16 Aug 2014, at 10:16 PM, Jeff Trawick <[email protected]> wrote: > This core directive would be used to modify the processing of > ap_add_common_vars() to pass through Authorization or Proxy-Authorization as > HTTP_foo. (Nothing else is currently blocked, so any other header name > wouldn't make sense.) > > This directive would be configurable at the directory level, but not in > htaccess. > > Various mods (mod_fastcgi, mod_fcgid, mod_wsgi, etc.) have ways to pass this > information through; bug 56855 has a patch to add it to mod_proxy_fcgi too. > With that patch in place, at least mod_proxy_scgi in our tree still couldn't > front an app that wants to handle Basic auth. It would be good to > consolidate over time the code/documentation around suppressing > *Authorization. > > Some concerns: Processing it in ap_add_common_vars() is not finely scoped to > natural users of the data; e.g., mod_include and mod_ext_filter would see it. > At the same time, not allowing it in htaccess may negate its usefulness in > some environments. > > Thoughts?
Would AuthBasicFake not help here? I use it to pass basic auth credentials back when certs are being used, so that a backend process has access to the username and a token password. This allows all sorts of control over the basic auth header, you can suppress the password while maintaining the username, etc. Regards, Graham —
