Hi all, With support for AJP becoming scarce, there has been a need to get information from an Apache httpd to a backend server (Tomcat, etc) in a secure way.
The following patch introduces two new modules: - mod_auth_bearer: This provides bearer authentication, as described in RFC6750. A token can be received by Apache httpd, and accepted if recognised, and in addition a token can be generated by httpd, and sent to a backend server. This allows the details of a digital certificate to be passed securely to the backend, when the digital certificate has been terminated by httpd. - mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be anything. One such token supported is JWT, as implemented in mod_autht_jwt. We can verify incoming JWT tokens, and we can sign outgoing JWT tokens today using HS256, with more algorithms to come. We introduce a new type of auth module: autht for authenticating tokens. A token can carry usernames, or IP addresses, or any metadata that might subsequently be used by authn or authz. We depend on apr_jose support in apr-util v1.7, which in turn depends on secure apr_json support, and apr_crypto hashing functions. This work (in APR and httpd) has been sponsored by NLNet as part of the Redwax Project at https://redwax.eu. Example configuration to accept a token: AuthType bearer AuthName example-name AuthBearerProvider jwt AuthtJwtVerify hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret Require valid-user Example configuration to send a token to a proxy backend: AuthBearerProxy %{JWT_TOKEN} AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret Work still to be done includes porting this to trunk, as well as documenting it properly. This will follow. Regards, Graham —
mod_auth_bearer-mod_autht_jwt.patch
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
