Securing headers in Apache2 when using it as a reverse proxy

Nils Kattenbeck nilskemail+shibboleth at
Wed Sep 22 22:03:58 UTC 2021

Hello everybody,

we are currently setting up a service which uses shibboleth for
Due to the nature of the application* it is not possible for us to use
mod_wsgi but instead we use Apache only as a reverse proxy.
To my knowledge the only way to archive this is to pass the information
using HTTP headers (as neither localhost:... nor unix://... support setting
environment variables).
However in the guide about SpoofChecking it says that there are no known
scenarios where environment variables cannot be used.
So I wonder if I am missing something as I cannot imagine that the
described scenario is rare?


*Written in Python using the ASGI standard. This is required as we have
multiple async features like Websockets and async communication with
another server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list