OSSP CVS Repository

ossp - Check-in [2557]
Not logged in 		[Honeypot]  [Browse]  [Home]  [Login]  [Reports
[Search]  [Ticket]  [Timeline
  [Patchset]  [Tagging/Branching

Check-in Number: 2557
Date: 2002-Oct-06 20:40:35 (local)
2002-Oct-06 18:40:35 (UTC)
User:rse
Branch:
Comment: fill OSSP sorp area with already existing material
Tickets:
Inspections:
Files:
ossp-pkg/sorp/BRAINSTORM.txt      added-> 1.1
ossp-pkg/sorp/SPEC.txt      added-> 1.1
ossp-pkg/sorp/BRAINSTORM.txt -> 1.1 

*** /dev/null    Thu May  2 20:07:10 2024
--- -    Thu May  2 20:07:58 2024
***************
*** 0 ****
--- 1,65 ----
+ 
+ OSSP sorp BRAINSTORMING
+ =======================
+ 
+ Currently:
+ - PESP: Apache+mod_rewrite+MySQL+mod_proxy
+ - IT Intranet: Apache+mod_rewrite+mod_proxy
+ - IS Intranet: Apache+mod_php+MySQL
+ 
+ Purposes:
+ - HTTPS to HTTP gateway
+ - HTTPS sticky pass-through
+ - user single-sign on & sticky authentication (user-id|client-cert -> session id)
+ - remote session tracking (session id -> user id + information) 
+ - load balancing over multiple backend servers
+ - backend response caching
+ 
+ Possibilities:
+ - Apache+mod_rewrite+mod_proxy+?
+ - Pound: http://www.apsis.ch/pound/
+ - Squid?
+ - Apache mod_proxy_add_forward: http://develooper.com/code/mpaf/
+   Apache mod_rpad: http://stderr.net/apache/rpaf/
+ - Stunnel
+ - Symbion SSL Proxy: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/sslproxy/
+ 
+ Libraries:
+ - libcurl
+ - pth
+ - sa
+ - cfg
+ 
+ Prerequisites:
+ - polling abstraction library (kqueue, poll, select, /dev/poll, etc) for Pth and stand-alone
+ - SSL support for OSSP sa
+ 
+ Applications:
+ - NMIT PESP web portal frontend server
+ - IT Operations Intranet frontend server
+ - IS Operations North Europe Intranet frontend server
+   - MOF
+   - ChangeLog
+   - Team.xmldb
+   - ChangeLog
+ 
+ Tables
+ ======
+ 
+ Session
+ -------
+ session_id       /* unique session id */
+ session_expire   /* expire time of session */
+ session_scope    /* scope/grade/level of session (login, visit, etc.) */
+ account_id       /* unique account id (attached user account) */
+ 
+ Account
+ -------
+ account_id       /* unique account id */
+ account_pw       /* password of account */
+ account_name     /* realname of account holder */
+ account_location /* realname of account holder */
+ ...
+ groups...
+ 
+

ossp-pkg/sorp/SPEC.txt -> 1.1 

*** /dev/null    Thu May  2 20:07:10 2024
--- -    Thu May  2 20:07:58 2024
***************
*** 0 ****
--- 1,141 ----
+ 
+ OSSP sorp SPECIFICATION
+ =======================
+ 
+ Mandatory Requirements
+ ----------------------
+ 
+ o URL rewriting on redirects and in HTML content (hyperlinks)
+   (important for full backend hiding and avoiding of by-passing traffic)
+ 
+ o full HTTP/1.0 and HTTP/1.1 compliant frontend service
+   (important for full conformance with browser features and performance)
+   => apache, squid, ??
+ 
+ o HTTPS/HTTP 1.0/1.1 to HTTPS/HTTP 1.0/1.1 proxy functionality for
+   backend service
+   (to reduce load and complexity on backends)
+   => apache, squid, ??
+ 
+ o forwarding of client IP and HTTP/1.1 "Host:" header to backend servers
+   (for correct logging and virtual hosting on backends)
+   => apache mod_xxx, ??
+ 
+ o backend service selection based on
+   - HTTP/1.1 Host header
+     (for real virtual hosting on frontend)
+   - URL rewriting rule (or at least URL prefix matching)
+     (for seamless linking of backends into frontend URL namespace)
+   - user authentication information
+     (for sticky user backends, etc.)
+   => apache mod_rewrite?
+ 
+ o user single sign-on with stickyness and automatic sign-on expiring
+   (for comfortable sign-on over browser restarts and security)
+ 
+ o authentication via one or more of the following credentials:
+   - userid+passwd
+     (for standard authentication)
+   - SSL client certificate
+     (for elegant authentication)
+   - host-based ACL
+     (for by-pass authentication)
+ 
+ - authentication backends:
+   - Kerberos Tickets?
+   - LDAP?
+   - SQL?
+   - S/Key OTP?
+   - PAM?
+   - SASL?
+   - Local PW
+ 
+ o mapping of incoming (and successfully authenticated) authentication method
+   and identity to perhaps different authentication method and identity on 
+   backend server communication.
+ 
+ o automatic session tracking in frontend service
+   (for reducing complexity on backends)
+   - via HTTP Cookie key "session" (read-write)
+   - via URL QUERY_STRING key "session" (read-write)
+   - via SSL client certificate (read-only)
+ 
+ o easy remote session information retrival from backend servers
+   (for storing sessions on frontend only and still have on backends)
+ 
+ o extendable user session information set
+   (for flexibility in the backends and to avoid DBs there, too)
+ 
+ o easy administration of user accounts (passwords!)
+   and session information via Web UI
+   (for obvious administration of whole setup)
+ 
+ o allow bookmarking of subpages by redirecting from subpage
+   request to login on missing session and after loggin in again back to subpage
+   (for supporting subpage bootmarking)
+ 
+ Optional Requirements
+ ---------------------
+ 
+ o HTTPS sticky pass-through connections
+   (for HTTPS on backends)
+ 
+ o server side include (SSI) or other dynamic content expansion
+   in backend response on frontend server
+   (for global navigation bars, headers, footers, etc)
+ 
+ o load balancing over multiple backend servers
+   (for performance)
+ 
+ o automatic backend disabling on downtime/error if multiple backends exist
+ 
+ o caching of backend responses
+   (for performance)
+ 
+ o content manipulations
+   - splash screen additions
+   - header/footer/css additions
+   - watermark additions
+   (for global services)
+ 
+ o pre-fetching from backend servers of inline images and referenced pages
+ 
+ Run-time Pseudocode
+ -------------------
+ 
+   read client-request (CReq) from client
+   create backend-request (BReq) by copying CReq
+   extract request URL
+   select backend URL and insert into BReq as new URL
+   extract from IReq and remove from BReq authentication id
+      1. from QUERY_STRING 
+      2. from HTTP Cookie header
+      3. from SSL client certificate
+ 
+   if (URL requires authentication) {
+       check authenentication id;
+       if (not exists or is invalid authentication id) {
+           ...
+           stop;
+       }
+       optionally map authentication id according to backend URL
+       insert (optionally mapped) authentication id into BReq as
+          - QUERY_STRING addition
+          - HTTP Cookie header
+   }
+   send BReq request to backend server
+   read BRes response header from backend server
+   extract response code from BReq
+   filter BRes to IRes
+   if (redirect) {
+       inverse map Location header according to backend selection rules
+   }
+   if (code eq 200/OK and content-type == HTML) {
+       while body is read in junks
+           inverse map hyperlinks according to backend selection rules
+   }
+   else {
+       while body is read in junks
+           pass through unchanged
+   }
+

CVSTrac 2.0.1