passing attributes with reverse proxy
Peter Schober
peter.schober at univie.ac.at
Sat Apr 9 12:38:22 EDT 2016
* Tonu Mikk <tmikk at umn.edu> [2016-04-08 21:11]:
> *RequestHeader set REMOTE-USER %{REMOTE_USER}s*
>
> It was slightly tricky to understand how to view that the header was
> passed. This required writing some code on the application server that
> displayed the header values on the web page.
AFAIR that will make the HTTP Request Header name HTTP_REMOTE_USER, so
you might as well call it anything you like, maybe even containing
some secret string in the header name, e.g. HTTP_1CEQJ7HXUWUNHII9
making injection of the value even less likely. You'll likely have to
modify the recieving end anyway, even for "HTTP_REMOTE_USER".
-peter
More information about the users
mailing list