The auth-passthrough AuthTrans SAF inspects an incoming HTTP request for client information encoded by a service-passthrough function running on an intermediate server. The client information includes the following:
The IP address from which the request originated, as encoded in the Proxy-ip header
The SSL/TLS session ID of the originating connection, as encoded in the Proxy-ssl-id header
The SSL/TLS cipher by the originating client, as encoded in the Proxy-cipher, Proxy-keysize, and Proxy-secret-keysize headers
The SSL/TLS client certificate presented by the originating client, as encoded in the Proxy-issuer-dn, Proxy-user-dn, and Proxy-auth-cert headers.
When auth-passthrough detects encoded client information, it instructs the server to treat the request as if it had arrived directly from the originating client instead of through an intermediate server running service-passthrough.
The auth-passthrough SAF is optional. When used, auth-passthrough is used on the server instance that receives the request forwarded by service-passthrough.
Because auth-passthrough makes it possible to override information that may be used for authentication (for example, the IP address of the original request), it is important that only trusted clients and servers be allowed to connect to a server running auth-passthrough. As a minimal precaution, only servers behind a corporate firewall should run auth-passthrough; no internet-accessible server should run auth-passthrough. Further, if information about the originating client is not required, auth-passthrough should not be used.
The following obj.conf code demonstrates the use of auth-passthrough (note that these lines are not indented in a real obj.conf):
<Object name="default"> AuthTrans fn="auth-passthrough" ... </Object> |