PageViews: 36,535 hits / 271 nets
home updates download manual documents feedback search ITS more
DeleGateIcon

Reference Manual of DeleGate

 SIMPLE PLAIN SHTML
DeleGate reference manual version 9.9 / Authorization generation
[CTX] [ALL] Authorization generation

AUTH=authgen:basic:authString
Generate "Authorization: Basic authString" in a HTTP request header to be forwarded to a server, if it does not have an original Authorization field from a client. The authString should be "userName:passWord". The following special string stand for attributes of clients.

    %u -- user name got using Ident protocol
    %h -- host name of the client got from the socket
    %i -- host name of the network interface to the client
    %I -- like %i but use the value of "Host:" if given in HTTP
    %a -- host address of the client
    %n -- network address of the client
    %H -- hostname of the DeleGate
    %M -- the ADMIN of the DeleGate
    %A -- generated string by "CMAP=string:authgen:mapSpec"
    %U -- username part of client's [Proxy-]Authorization: username:password
    %P -- password part of client's [Proxy-]Authorization: username:password

Example:

    When the firewall have two network interfaces and internal and external hosts access from different interface, then they can be distinguished by the name of interface.
      AUTH="authgen:basic:%i:%h"
    Otherwise, internal network should be explicitly defined using CMAP as follows.
      AUTH="authgen:basic:%A"
      CMAP="{internal:passWord}:authgen:*:*:{InternalNetList}"
      CMAP="{external:passWord}:authgen:*:*:*"

A generated password is formatted as "passWord/%i" and a DeleGate rejects incoming requests with an Authorization field of such pattern. Thus forged password cannot pass the DeleGate on the host "%i".