Home

Pound reverse proxy authorisation

or maybe you spell it authorization

I wanted to protect my personal/family Intranet web site, but also allow limited access from the bad Internet for when I'm away, or for family members, without requiring passwords or logging in from the Intranet

The obvious choice, to me, was to use a SSL capable reverse proxy that allows access to my Apache server, or any other web service in the private network, and my first thought was Orenosp, which I had used on Windows with IIS with success in the past.

Orenosp is now chargeable however and at over $100 a pop was more than I felt I wanted to pay, so I looked for an alternative and couldn't find what I wanted. I decided that Pound was close to what I needed with the exception of built in authorisation so I set about modifying v2.2 and this is the result

Authorisation mechanism

This first version uses a simple query and response, although extending it to use users, groups and a password file shouldn`t be difficult. It uses an authorisation token sent to the client as a cookie, which has a life of ten minutes. Every five minutes a new token is generated while sessions are active, and clients receive the updated token. The old token is kept for the remaineder of it`s ten minute life. If a browser is inactive for ten minutes or more, it`s token will not match either the current or previous token and so authorisation will fail

If a request arrives for a page and there is no valid token, the request is not proxied back to the backend, but instead a login screen is returned to the client. On receipt of the results of the login, if successful, a redirect response 1s sent to the client, with the curent token as a cookie, to direct the client to the originally requested page.

Tokens are built using the time and date, the request string and the response, and are converted to a token using an MD5 hash process

Limitations

This version has no means of carrying forward anything other than the requiest with any GET parameters. Should a POST response fail authorisation, the redirect after login will have lost the POST data. The original request is persisted using a hidden form field on the login page, and POST data could be similarly handled although there may be a size limitation.

The changes

I introduced a new source file which can be downloaded here - auth.c and made some changes to pound.h, http.c and config.c as well as the makefile.in. The diff fore these files can be found here - authdiff.

I haven't updated the man page, but to implement it you need to add the two statements Question and Response to a ListenHTTP or ListenHTTPS, e.g.

ListenHTTPS 
  Address 192.168.34.100
  Port 443
  Cert "/etc/pound/server.pem"
  Question "What's my secret?"
  Response "banana"

  Service
    BackEnd 
      Address 127.0.0.1
      Port 80
    End
  End	
End


Last modified 7 April 2015

Shew & Son

Copyright Pete & Julie Shew