Securing headers in Apache2 when using it as a reverse proxy
Nils Kattenbeck
nilskemail+shibboleth at gmail.com
Wed Sep 22 22:03:58 UTC 2021
Hello everybody,
we are currently setting up a service which uses shibboleth for
authentication.
Due to the nature of the application* it is not possible for us to use
mod_wsgi but instead we use Apache only as a reverse proxy.
To my knowledge the only way to archive this is to pass the information
using HTTP headers (as neither localhost:... nor unix://... support setting
environment variables).
However in the guide about SpoofChecking it says that there are no known
scenarios where environment variables cannot be used.
So I wonder if I am missing something as I cannot imagine that the
described scenario is rare?
Greetings
Nils
*Written in Python using the ASGI standard. This is required as we have
multiple async features like Websockets and async communication with
another server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210923/757cd88d/attachment.htm>
More information about the users
mailing list