< Previous by Date Date Index Next by Date >
  Thread Index  

[reSIProcate] per-transport auth rules for repro



I've been thinking it may be useful to set different authentication
rules for each transport in the repro proxy.

Currently, the following options are only available globally:

DisableAuth
  - disables digest auth

EnableCertificateAuthenticator
  - enables checking from header against client/peer certs

WSCookieAuthSharedSecret
  - enables and requires a HMAC cookie on WebSockets


The only option available on a per-transport basis is:

Transport?TlsClientVerification = <'None'|'Optional'|'Mandatory'>


Per-transport settings may be useful for more precisely describing which
combination of auth methods are required on a given transport.  For
example, on a WebSocket (WS or WSS) transport you may want to insist
that any one of the three possible auth methods is used but it doesn't
matter which one.  On a regular TLS transport, you may want to specify
that either Digest or Cert is allowed and on another TLS transport you
may want to say it is Cert only.

It may look like this:

Transport1AuthSchemes = Cert, Digest

Or maybe it could be more elaborate like PAM in Linux

Has anybody else had any thoughts about this topic?