> > It would be more logical to do the authentication on the front-end > server. Then, if the back-end server needs the result of the > authentication, you could add an appropriate HTTP header (with the > user-id and maybe more stuff) to the request, before proxying it to the > back-end. > The idea is that (supposedly) the communication between the front-end > and the back-end happens on a secure or private channel, so if the > back-end gets this header, it knows it comes from the front-end. > Getting the content of a request header is pretty light-weigth, so the > work to do on the back-end for AAA could be minimal, since it can > "believe" what the front-end tells it. > That makes sense, but the Apache documentation on server configuration suggests a very light-weight front end server with the heavy-weight perl server on the back end. It seems like a lot of overhead to have mod_perl on the front end purely for authentication; I might as well keep the monolithic configuration I have now. Thanks for the input, though, it helps clarify things.
Dan