Hi, how possible would be to extend Pound proxy to implement HTTP Digest
authentication by querying a MySQL/Postgress database or Radius server?
Perhaps what I ask is a bit complex but I just would like to know if it's
feasible to add such a layer in top of the existing code. What I exactly
need is shown in the following hypothetical config file. Note that I've added
some non-existing features:
----------------------------------------
## Digest authentication based on MySQL table.
AuthDigestType mysql
AuthDigestMysqlHost localhost
AuthDigestMysqlDatabase mydatabase
AuthDigestMysqlUser me
AuthDigestMysqlPasswd 1234
AuthDigestMysqlTable subscribers
AuthDigestMysqlUserColumn username
AuthDigestMysqlDomainColumn domain
AuthDigestMysqlPlainPasswd no
AuthDigestMysqlHa1Column ha1
# Don't ask authetication to request from these addresses.
AuthTrustedIps 90.90.76.0/24, 127.0.0.1/32
## A backend list to be used in varios "Service".
BackEndList
Id my-http-servers
BackEnd
Address 127.0.0.1
Port 9001
End
BackEnd
Address 127.0.0.1
Port 9002
End
End
ListenHTTPS
Address XX.XX.XX.XX
Port 443
Cert "/etc/ssl/local.server.pem"
HeadRemove "X-Forwarded-For"
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 1
End
### Users trying to fetch or modify their documents under "pres-rules/" or
### "resource-lists/" must authenticate.
Service
# Just for these URLs and extracts the [user] and [domain] to use in 401.
# Example 1:
https://mydomain.org/resource-lists/users/sip:[email protected]/mydocument.xml
# => user = alice
# => domain = domain2.net
# Example 2:
https://mydomain.org/pres-rules/users/[email protected]/presrules.xml
# => user = bob
# => domain = domain3.com
URL
"https://mydomain.org/(pres\-rules|resource\-lists)|/users/(sips?:)?:[[user]].+[[/use...@[[domain].+[[/domain]]/.*"
# Just if method is GET, PUT or DELETE.
Method GET PUT DELETE
# Require digest authentication. 401 will contain "WWW-Authenticate" with
# "username=user" and "realm=domain" (extracted from URL).
AuthDigest user domain
BackEndList
my-http-servers
End
End
### Any user can see icon of other users (so no auth is required):
Service
URL "https://mydomain.org/icon/users/.*";
Method GET
BackEndList
my-http-servers
End
End
### A user trying to modify his icon must authenticate:
Service
URL
"https://mydomain.org/icon/users/(sips?:)?:[[user]].+[[/use...@[[domain].+[[/domain]]/.*"
Method PUT, DELETE
AuthDigest user domain
BackEndList
my-http-servers
End
End
----------------------------------------
Of course I do know this is a very extended and complex feature. I just would
like to know if it's possible to code such a feature in top of the existing
code.
Thanks.
--
Iñaki Baz Castillo <[email protected]>
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
