Overriding proxy response

John Morrissey jwm at horde.net
Thu Sep 10 04:50:40 CEST 2009


On Wed, Sep 09, 2009 at 11:08:43PM +0100, Ivan Kalik wrote:
> > I would like to override failed (rejected, timed out) proxy responses with
> > local authentication data. IOW, if the proxy request fails, I want to
> > process the request locally.
> 
> This is documented in post-proxy section.

I assume you mean the stock configuration's sites-available/default
post-proxy section.

It certainly says the request may be 'massaged' there, but does not indicate
how to go about the more advanced 'massaging' I asked after in my post.
The only thing that even comes close in the sample configuration is
attr_rewrite, which is far too simplistic for what I'm looking to do.

Again, what I'm after is to process the request locally for unresponsive
proxies or proxy Access-Rejects. By 'process the request locally,' I mean
achieve the same effect as if the request was re-run through the authorize
and authenticate sections. I've looked into achieving this with rlm_perl.

I see two problems with using an rlm_perl post-proxy handler to 'massage'
the reply in this way.

First, FreeRADIUS functionality would need to be duplicated in the
post-proxy handler, particularly any authentication methods I wish to use,
since there is no apparent way to call the authenticate handlers in
FreeRADIUS modules at this point.

Secondly, the response code is not available in the hashes passed to
rlm_perl modules, so rlm_perl handlers cannot change it.

john
-- 
John Morrissey          _o            /\         ----  __o
jwm at horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__



More information about the Freeradius-Users mailing list