passing attributes from mod_shib via proxy to an application

Marcus Schopen lists at
Thu May 16 16:16:51 EDT 2019

Am Donnerstag, den 16.05.2019, 16:58 +0000 schrieb Cantor, Scott:
> On 5/16/19, 12:40 PM, "users on behalf of Marcus Schopen" <
> users-bounces at on behalf of lists at> wrote:
> > Is it safer to run the Flask application with mod_wsgi and access
> > the
> > attributes of mod_shib as environment variables instead of sending
> > them
> > via HTTP header via mod_proxy?
> The answer to almost any question that ends in "or use headers and
> proxy HTTP?" is that the first part of the sentence is safer.

Scott, thank you for taking the time to answer my question.

So connecting a Flask app via mod_wsgi directly in Apache would be the
safer way for you, right?

> Proxying is about the dumbest "thing done for security" there is,
> it's literally the opposite in almost every case I have ever seen. If
> your software is so porous that connecting it to the Internet to
> serve HTTP is too risky, you need new software. TLS performance is
> usually about the only rationale I buy for proxying, and that's
> largely historical and tends to add its own security risks.

I don't see the point here. There are legitimate scenarios in which it
is discouraged to distribute certain resources via proxies to different
backends. The question is, how safe is the way there? Likewise, I don't
think it is a good idea for any software that wants to communicate into
the world via HTTP to have the full functionality of a mature web
server like Apache or Nginx. This is redundant and can only be error-
prone, so security will suffer in the end.


More information about the users mailing list