Index: ossp-pkg/sorp/BRAINSTORM.txt
RCS File: /v/ossp/cvs/ossp-pkg/sorp/BRAINSTORM.txt,v
co -q -kk -p'1.1' '/v/ossp/cvs/ossp-pkg/sorp/BRAINSTORM.txt,v' | diff -u /dev/null - -L'ossp-pkg/sorp/BRAINSTORM.txt' 2>/dev/null
--- ossp-pkg/sorp/BRAINSTORM.txt
+++ -	2024-05-17 10:58:51.421877800 +0200
@@ -0,0 +1,65 @@
+
+OSSP sorp BRAINSTORMING
+=======================
+
+Currently:
+- PESP: Apache+mod_rewrite+MySQL+mod_proxy
+- IT Intranet: Apache+mod_rewrite+mod_proxy
+- IS Intranet: Apache+mod_php+MySQL
+
+Purposes:
+- HTTPS to HTTP gateway
+- HTTPS sticky pass-through
+- user single-sign on & sticky authentication (user-id|client-cert -> session id)
+- remote session tracking (session id -> user id + information) 
+- load balancing over multiple backend servers
+- backend response caching
+
+Possibilities:
+- Apache+mod_rewrite+mod_proxy+?
+- Pound: http://www.apsis.ch/pound/
+- Squid?
+- Apache mod_proxy_add_forward: http://develooper.com/code/mpaf/
+  Apache mod_rpad: http://stderr.net/apache/rpaf/
+- Stunnel
+- Symbion SSL Proxy: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/sslproxy/
+
+Libraries:
+- libcurl
+- pth
+- sa
+- cfg
+
+Prerequisites:
+- polling abstraction library (kqueue, poll, select, /dev/poll, etc) for Pth and stand-alone
+- SSL support for OSSP sa
+
+Applications:
+- NMIT PESP web portal frontend server
+- IT Operations Intranet frontend server
+- IS Operations North Europe Intranet frontend server
+  - MOF
+  - ChangeLog
+  - Team.xmldb
+  - ChangeLog
+
+Tables
+======
+
+Session
+-------
+session_id       /* unique session id */
+session_expire   /* expire time of session */
+session_scope    /* scope/grade/level of session (login, visit, etc.) */
+account_id       /* unique account id (attached user account) */
+
+Account
+-------
+account_id       /* unique account id */
+account_pw       /* password of account */
+account_name     /* realname of account holder */
+account_location /* realname of account holder */
+...
+groups...
+
+
Index: ossp-pkg/sorp/SPEC.txt
RCS File: /v/ossp/cvs/ossp-pkg/sorp/SPEC.txt,v
co -q -kk -p'1.1' '/v/ossp/cvs/ossp-pkg/sorp/SPEC.txt,v' | diff -u /dev/null - -L'ossp-pkg/sorp/SPEC.txt' 2>/dev/null
--- ossp-pkg/sorp/SPEC.txt
+++ -	2024-05-17 10:58:51.424553108 +0200
@@ -0,0 +1,141 @@
+
+OSSP sorp SPECIFICATION
+=======================
+
+Mandatory Requirements
+----------------------
+
+o URL rewriting on redirects and in HTML content (hyperlinks)
+  (important for full backend hiding and avoiding of by-passing traffic)
+
+o full HTTP/1.0 and HTTP/1.1 compliant frontend service
+  (important for full conformance with browser features and performance)
+  => apache, squid, ??
+
+o HTTPS/HTTP 1.0/1.1 to HTTPS/HTTP 1.0/1.1 proxy functionality for
+  backend service
+  (to reduce load and complexity on backends)
+  => apache, squid, ??
+
+o forwarding of client IP and HTTP/1.1 "Host:" header to backend servers
+  (for correct logging and virtual hosting on backends)
+  => apache mod_xxx, ??
+
+o backend service selection based on
+  - HTTP/1.1 Host header
+    (for real virtual hosting on frontend)
+  - URL rewriting rule (or at least URL prefix matching)
+    (for seamless linking of backends into frontend URL namespace)
+  - user authentication information
+    (for sticky user backends, etc.)
+  => apache mod_rewrite?
+
+o user single sign-on with stickyness and automatic sign-on expiring
+  (for comfortable sign-on over browser restarts and security)
+
+o authentication via one or more of the following credentials:
+  - userid+passwd
+    (for standard authentication)
+  - SSL client certificate
+    (for elegant authentication)
+  - host-based ACL
+    (for by-pass authentication)
+
+- authentication backends:
+  - Kerberos Tickets?
+  - LDAP?
+  - SQL?
+  - S/Key OTP?
+  - PAM?
+  - SASL?
+  - Local PW
+
+o mapping of incoming (and successfully authenticated) authentication method
+  and identity to perhaps different authentication method and identity on 
+  backend server communication.
+
+o automatic session tracking in frontend service
+  (for reducing complexity on backends)
+  - via HTTP Cookie key "session" (read-write)
+  - via URL QUERY_STRING key "session" (read-write)
+  - via SSL client certificate (read-only)
+
+o easy remote session information retrival from backend servers
+  (for storing sessions on frontend only and still have on backends)
+
+o extendable user session information set
+  (for flexibility in the backends and to avoid DBs there, too)
+
+o easy administration of user accounts (passwords!)
+  and session information via Web UI
+  (for obvious administration of whole setup)
+
+o allow bookmarking of subpages by redirecting from subpage
+  request to login on missing session and after loggin in again back to subpage
+  (for supporting subpage bootmarking)
+
+Optional Requirements
+---------------------
+
+o HTTPS sticky pass-through connections
+  (for HTTPS on backends)
+
+o server side include (SSI) or other dynamic content expansion
+  in backend response on frontend server
+  (for global navigation bars, headers, footers, etc)
+
+o load balancing over multiple backend servers
+  (for performance)
+
+o automatic backend disabling on downtime/error if multiple backends exist
+
+o caching of backend responses
+  (for performance)
+
+o content manipulations
+  - splash screen additions
+  - header/footer/css additions
+  - watermark additions
+  (for global services)
+
+o pre-fetching from backend servers of inline images and referenced pages
+
+Run-time Pseudocode
+-------------------
+
+  read client-request (CReq) from client
+  create backend-request (BReq) by copying CReq
+  extract request URL
+  select backend URL and insert into BReq as new URL
+  extract from IReq and remove from BReq authentication id
+     1. from QUERY_STRING 
+     2. from HTTP Cookie header
+     3. from SSL client certificate
+
+  if (URL requires authentication) {
+      check authenentication id;
+      if (not exists or is invalid authentication id) {
+          ...
+          stop;
+      }
+      optionally map authentication id according to backend URL
+      insert (optionally mapped) authentication id into BReq as
+         - QUERY_STRING addition
+         - HTTP Cookie header
+  }
+  send BReq request to backend server
+  read BRes response header from backend server
+  extract response code from BReq
+  filter BRes to IRes
+  if (redirect) {
+      inverse map Location header according to backend selection rules
+  }
+  if (code eq 200/OK and content-type == HTML) {
+      while body is read in junks
+          inverse map hyperlinks according to backend selection rules
+  }
+  else {
+      while body is read in junks
+          pass through unchanged
+  }
+