Dan Axtell wrote:
Hi,
I wrote some mod_perl handlers for authentication and authorization, basically
to set cookies and check user roles. I use them for both static and dynamic
content from Perl scripts.
I'm looking into splitting Apache into two servers, one optimized for static
content and acting as a reverse proxy for the dynamic content Apache server.
I understand that in the static httpd.conf, I can do things like:
ProxyPass /perl/ http://dynamic.server:8080/perl/
ProxyPassReverse /perl/ http://dynamic.server:8080/perl/
and in the dynamic server's httpd.conf, I can add ScriptAlias and Location
directives to call my authentication handlers.
What I don't understand is what to do about static directories that want to
use the handlers via Directory directive, or via a local .htdocs file. Does
any such directory need to be forwarded to the dynamic server in order to then
call the handlers?
If I understand correctly, and if your front-end server does not have
mod_perl, then I'm afraid that the answer would be yes.
It would be more logical to do the authentication on the front-end
server. Then, if the back-end server needs the result of the
authentication, you could add an appropriate HTTP header (with the
user-id and maybe more stuff) to the request, before proxying it to the
back-end.
The idea is that (supposedly) the communication between the front-end
and the back-end happens on a secure or private channel, so if the
back-end gets this header, it knows it comes from the front-end.
Getting the content of a request header is pretty light-weigth, so the
work to do on the back-end for AAA could be minimal, since it can
"believe" what the front-end tells it.
Now this all depends quite a bit on what you need to do to authenticate
a user, how heavy it is, how you check that a user is already
authenticated and so on.
I am using a variety of schemes which work more less that way, so if you
have a more precise description of what you are trying to do, I may be
able to give you some additional ideas.
