Overriding proxy response
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally. It looks like the proxy reply trumps local authorization/authentication, and I can't find a way to override the proxy's response code. %REQUEST_PROXY_REPLY in rlm_perl doesn't contain the response code. If this was the opposite way (don't proxy for accounts that exist locally), it seems I could remove Proxy-To-Realm to prevent proxying. Is there a way to do the opposite (perform proxying and override the proxy's response with local auth)? john -- John Morrissey _o /\ ---- __o jwm@horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
On Wed, Sep 09, 2009 at 11:08:43PM +0100, Ivan Kalik wrote:
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally.
This is documented in post-proxy section.
I assume you mean the stock configuration's sites-available/default post-proxy section. It certainly says the request may be 'massaged' there, but does not indicate how to go about the more advanced 'massaging' I asked after in my post. The only thing that even comes close in the sample configuration is attr_rewrite, which is far too simplistic for what I'm looking to do. Again, what I'm after is to process the request locally for unresponsive proxies or proxy Access-Rejects. By 'process the request locally,' I mean achieve the same effect as if the request was re-run through the authorize and authenticate sections. I've looked into achieving this with rlm_perl. I see two problems with using an rlm_perl post-proxy handler to 'massage' the reply in this way. First, FreeRADIUS functionality would need to be duplicated in the post-proxy handler, particularly any authentication methods I wish to use, since there is no apparent way to call the authenticate handlers in FreeRADIUS modules at this point. Secondly, the response code is not available in the hashes passed to rlm_perl modules, so rlm_perl handlers cannot change it. john -- John Morrissey _o /\ ---- __o jwm@horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
John Morrissey wrote:
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally.
That can't really be done with the current server. You will need to hack the source code to get this done.
It looks like the proxy reply trumps local authorization/authentication, and I can't find a way to override the proxy's response code.
Yes. There is usually ONE source for authentication. Turning a reject into an accept is a *very* unusual practice.
If this was the opposite way (don't proxy for accounts that exist locally), it seems I could remove Proxy-To-Realm to prevent proxying.
Is there a way to do the opposite (perform proxying and override the proxy's response with local auth)?
No. Alan DeKok.
Hi,
John Morrissey wrote:
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally.
That can't really be done with the current server. You will need to hack the source code to get this done.
I guess this can be done with current system by configuring a local virtual server and adding that to the pool list for that proxy realm. this would mean that if one (or more) proxies failed then this local virtual server would eventually get hit...of course, this would *NOT* work if a remote proxy did send back a REJECT . a reject is pretty much end of line...and always should be IMHO (who are you to question a remote authentications knowledge? ;-) ) alan
participants (4)
-
Alan Buxey -
Alan DeKok -
Ivan Kalik -
John Morrissey