Securing headers in Apache2 when using it as a reverse proxy
nilskemail+shibboleth at gmail.com
Wed Sep 22 22:03:58 UTC 2021
we are currently setting up a service which uses shibboleth for
Due to the nature of the application* it is not possible for us to use
mod_wsgi but instead we use Apache only as a reverse proxy.
To my knowledge the only way to archive this is to pass the information
using HTTP headers (as neither localhost:... nor unix://... support setting
However in the guide about SpoofChecking it says that there are no known
scenarios where environment variables cannot be used.
So I wonder if I am missing something as I cannot imagine that the
described scenario is rare?
*Written in Python using the ASGI standard. This is required as we have
multiple async features like Websockets and async communication with
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users