>
> It would be more logical to do the authentication on the front-end
> server. Then, if the back-end server needs the result of the
> authentication, you could add an appropriate HTTP header (with the
> user-id and maybe more stuff) to the request, before proxying it to the
> back-end.
> The idea is that (supposedly) the communication between the front-end
> and the back-end happens on a secure or private channel, so if the
> back-end gets this header, it knows it comes from the front-end.
> Getting the content of a request header is pretty light-weigth, so the
> work to do on the back-end for AAA could be minimal, since it can
> "believe" what the front-end tells it.
>
That makes sense, but the Apache documentation on server configuration 
suggests a very light-weight front end server with the heavy-weight perl 
server on the back end.  It seems like a lot of overhead to have mod_perl on 
the front end purely for authentication; I might as well keep the monolithic 
configuration I have now.  Thanks for the input, though, it helps clarify 
things.

Dan

Reply via email to