[reSIProcate] per-transport auth rules for repro
Daniel Pocock
daniel at pocock.pro
Fri Apr 24 15:20:36 CDT 2015
I've been thinking it may be useful to set different authentication
rules for each transport in the repro proxy.
Currently, the following options are only available globally:
DisableAuth
- disables digest auth
EnableCertificateAuthenticator
- enables checking from header against client/peer certs
WSCookieAuthSharedSecret
- enables and requires a HMAC cookie on WebSockets
The only option available on a per-transport basis is:
Transport?TlsClientVerification = <'None'|'Optional'|'Mandatory'>
Per-transport settings may be useful for more precisely describing which
combination of auth methods are required on a given transport. For
example, on a WebSocket (WS or WSS) transport you may want to insist
that any one of the three possible auth methods is used but it doesn't
matter which one. On a regular TLS transport, you may want to specify
that either Digest or Cert is allowed and on another TLS transport you
may want to say it is Cert only.
It may look like this:
Transport1AuthSchemes = Cert, Digest
Or maybe it could be more elaborate like PAM in Linux
Has anybody else had any thoughts about this topic?
More information about the resiprocate-devel
mailing list