I currently use basic auth over SSL to connect to our Intranet site
(https://iris.rnib.org.uk). This has worked fine for many years, however,
we need to move to a new system that runs on IIS (stellent, formerly
xpedio), although some content will remain on Apache.
To keep it under some kind of control, I'm only proxying certain extensions
as follows:
RewriteEngine on
# Redirect home page
RewriteRule ^/$
http://dilbert/xpedio/groups/public/documents/iris/iriswelcome.hcsp [P,L]
# Redirect hcsp,htm,css and js pages
RewriteRule ^/xpedio/(.*)\.hcsp(.*)$
http://dilbert/xpedio/$1.hcsp$2 [P,L]
RewriteRule ^/xpedio/(.*)\.htm(.*)$ http://dilbert/xpedio/$1.htm$2
[P,L]
RewriteRule ^/xpedio/(.*)\.css$ http://dilbert/xpedio/$1.css [P,L]
RewriteRule ^/xpedio/(.*)\.js$ http://dilbert/xpedio/$1.js [P,L]
# Redirect images
RewriteRule ^/xpedio/(.*)\.gif$ http://dilbert/xpedio/$1.gif
[P,L]
RewriteRule ^/xpedio/(.*)\.jpg$ http://dilbert/xpedio/$1.jpg
[P,L]
RewriteRule ^/xpedio/(.*)\.png$ http://dilbert/xpedio/$1.png
[P,L]
# Redirect one and only one cgi script!
RewriteRule ^/intradoc-cgi/idc_cgi_isapi.dll(.*)$
http://dilbert/intradoc-cgi/idc_cgi_isapi.dll$1 [P]
However, what happens is that the username and password to log into Apache
is passed to the ISAPI filter on the IIS box. This then sends its
authentication realm with it's request for the correct password. Unless the
username and password exists on both machines, you cannot access the content
externally. The Stellent system has a limit of 50 registered users, whereas
we have over 200 people who access our Intranet remotely.
I've been spending weeks reading through the mod_header, mod_proxy and
mod_rewrite documentation and I can't see any way to stop the username and
password being passed via mod_proxy. I've been testing it out as well.
I think this is something that Ralf might be able to answer as he wrote the
mod_rewrite module (great work Ralf). Of course, there may be others on this
list that have come across this problem before or are a bit brighter than me
(that wouldn't take much). It might mean that I have to use the Request
Header feature of Apache 2.0.
I say this is a little off topic, as it is really a problem with having to
use the evil IIS. Despite writing a paper six weeks before Code Red hit
saying that IIS is not safe to use, some people still insist on using it.
(Apologies for the bad word-wrapping).
-
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
If Charles Darwin knew a fraction of what scientists know today, he'd never
have written the Origin of the Species.
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
