Dan Axtell wrote:
Hi,

I wrote some mod_perl handlers for authentication and authorization, basically to set cookies and check user roles. I use them for both static and dynamic content from Perl scripts.

I'm looking into splitting Apache into two servers, one optimized for static content and acting as a reverse proxy for the dynamic content Apache server. I understand that in the static httpd.conf, I can do things like:
        ProxyPass               /perl/ http://dynamic.server:8080/perl/
        ProxyPassReverse        /perl/ http://dynamic.server:8080/perl/
and in the dynamic server's httpd.conf, I can add ScriptAlias and Location directives to call my authentication handlers.

What I don't understand is what to do about static directories that want to use the handlers via Directory directive, or via a local .htdocs file. Does any such directory need to be forwarded to the dynamic server in order to then call the handlers?

If I understand correctly, and if your front-end server does not have mod_perl, then I'm afraid that the answer would be yes.

It would be more logical to do the authentication on the front-end server. Then, if the back-end server needs the result of the authentication, you could add an appropriate HTTP header (with the user-id and maybe more stuff) to the request, before proxying it to the back-end. The idea is that (supposedly) the communication between the front-end and the back-end happens on a secure or private channel, so if the back-end gets this header, it knows it comes from the front-end. Getting the content of a request header is pretty light-weigth, so the work to do on the back-end for AAA could be minimal, since it can "believe" what the front-end tells it.

Now this all depends quite a bit on what you need to do to authenticate a user, how heavy it is, how you check that a user is already authenticated and so on.

I am using a variety of schemes which work more less that way, so if you have a more precise description of what you are trying to do, I may be able to give you some additional ideas.

Reply via email to