Jéjé
Tue Mar 01 14:21:00 CST 2005
thanks for the link.
but after some search, I have created my own proxy which support
authentication delegation and HTML content rewrite. :-)
"Dino Chiesa [Microsoft]" <dinoch@online.microsoft.com> wrote in message
news:%23tQcKDpHFHA.2740@TK2MSFTNGP12.phx.gbl...
> FYI., there is a ISAPI rewriter like Apache's mod_rewrite, it is free and
> available here:
>
>
http://cheeso.members.winisp.net/examples.aspx#Misc
>
> Does not do authentication delegation. Does not do proxying, ut it should
> be simple to add.
>
> -Dino
>
>
> "Jéjé" <willgart@BBBhotmailAAA.com> wrote in message
> news:uc3JWZmDFHA.1264@TK2MSFTNGP12.phx.gbl...
>> its ok now
>> after a lot of tests and research...
>>
>> I have found an utility to do a part of my job... and now I have my proxy
>> system!
>> (with html content rewriter)
>>
>> I have to test it more, for the moment the security is applied (only
>> basic authentication tested) and I support sessions, cookies, images
>> etc...
>>
>> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
>> news:uxCevfdDFHA.3120@TK2MSFTNGP15.phx.gbl...
>>> Apache proxypass is not going to work for all but the simplest cases.
>>> There's a reason that dedicated Proxy Servers exist... Consider the
>>> following:
>>>
>>> 1. Authentication Delegation - the only ones that can be trivially done
>>> is
>>> Basic and cookie-based authentication. Integrated Authentication (NTLM)
>>> cannot be delegated (redirection=delegation) because it is
>>> connection-based -- your forwarder is considered man-in-the-middle
>>> security
>>> attack if it could redirect. Integrated Authentication (Kerberos) can
>>> be
>>> delegated (it is ticket-based security -- far more secure than clear
>>> text
>>> and no restriction of connection-based -- just requires more servers
>>> [KDC]
>>> and must establish trust somehow [i.e. use Active Directory] ).
>>> 2. Reverse Proxy - Suppsoe the proxy rewrites
http://ExternalServer to
>>>
http://InternalServer -- on Reverse Proxy, it needs to rewrite all
>>>
http://InternalServer links in the content to
http://ExternalServer .
>>> This
>>> is non-trivial to do when you add in 30x redirection, multiple names for
>>> InternalServer/ExternalServer, and relative URLs . proxypass is doing
>>> very
>>> basic implementation here (according to the mod_proxy maintainer
>>> himself),
>>> and you must write HTML in certain ways to help out the outbound
>>> rewriting.
>>> 3. SSL Certificate Remapping / SSL Traffic Capture -- this cannot be
>>> done --
>>> it is essentially man-in-the-middle attack against the remote user's
>>> certificate and invalidates the whole notion that SSL traffic is secure
>>> between sender and recipient -- so no intervening proxy will be able to
>>> sniff/log SSL data -- only the terminal server or client can do this.
>>>
>>>
>>> For your simple scenario (delegate Clear text authentication + link
>>> rewriting), Apache proxypass may work but you'll have to test it.
>>>
>>> --
>>> //David
>>> IIS
>>>
http://blogs.msdn.com/David.Wang
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> //
>>> "Jéjé" <willgart_A_@hotmail_A_.com> wrote in message
>>> news:eFUnSHWDFHA.464@TK2MSFTNGP15.phx.gbl...
>>> isapirewrite can't handle 1 need : rewriting the HTML content to
>>> changes
>>> any reference to my HTTP back end server to my HTTP front end server.
>>>
>>> and I have to call my backend server only when I'm in clear/text
>>> authentication, with integrated authentication I have no problem to
>>> redirect
>>> the user directly, because there is no prompt for a login/password.
>>>
>>> I have other choices to investigate...
>>> but if you have any other idea... ;-)
>>>
>>>
>>> "Becker" <ben@benbecker.net> wrote in message
>>> news:%23rZjhjRDFHA.3084@TK2MSFTNGP10.phx.gbl...
>>>> I'm looking for the same thing. I did see this solution:
>>>>
http://www.isapirewrite.com/
>>>>
>>>> I've also been using apache proxypass to do this. The only problem
>>>> with
>>>> this solution is I can't get it to work with IIS authentication and it
>>>> requires that you have apache running on a server somewhere to do the
>>>> redirect. It is free though.
>>>>
>>>> Becker
>>>>
>>>> "Jéjé" <willgart@BBBhotmailAAA.com> wrote in message
>>>> news:ejCnlVKDFHA.4020@TK2MSFTNGP14.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> I'm looking for an ISapi filter (or anything like this) to redirect
>>>>> any
>>>>> request mode to a virtual folder to a back end server (like a web
>>>>> proxy
>>>>> do)
>>>>>
>>>>>
http://mycomputer1/virtualfolder -->
http://mycomputer2/virtualfolder
>>>>>
>>>>> This filter must support authentication delegation.
>>>>>
>>>>> thanks for your help
>>>>>
>>>>> Jerome.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>