From b0633ba1f454b9b09d646ff0b512f5d13a0f236e Mon Sep 17 00:00:00 2001 From: Robin McCorkell Date: Tue, 18 Jun 2013 17:50:28 +0200 Subject: [PATCH] Add check for remote_user variable for trusted proxy auth If trusted proxy authentication is on, yet the proxy did not authenticate the user, then the default authentication method is used instead of returning 'Unauthorized'. --- Apache/SOGo.conf | 14 +++++++++++++- Main/SOGo.m | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Apache/SOGo.conf b/Apache/SOGo.conf index bfe7560ba..3dd0df476 100644 --- a/Apache/SOGo.conf +++ b/Apache/SOGo.conf @@ -26,12 +26,23 @@ Alias /SOGo/WebServerResources/ \ ## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and ## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section ## below. +# +## For full proxy-side authentication: # # AuthType XXX # Require valid-user # SetEnv proxy-nokeepalive 1 # Allow from all # +# +## For proxy-side authentication only for CardDAV and GroupDAV from external +## clients: +# +# AuthType XXX +# Require valid-user +# SetEnv proxy-nokeepalive 1 +# Allow from all +# ProxyRequests Off SetEnv proxy-nokeepalive 1 @@ -64,7 +75,8 @@ ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0 ## When using proxy-side autentication, you need to uncomment and ## adjust the following line: -# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" + RequestHeader unset "x-webobjects-remote-user" +# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" diff --git a/Main/SOGo.m b/Main/SOGo.m index 2eb4a9bd8..c3b015771 100644 --- a/Main/SOGo.m +++ b/Main/SOGo.m @@ -283,7 +283,7 @@ static BOOL debugLeaks; { id authenticator; - if (trustProxyAuthentication) + if (trustProxyAuthentication && [[context request] headerForKey: @"x-webobjects-remote-user"]) authenticator = [SOGoProxyAuthenticator sharedSOGoProxyAuthenticator]; else {