mod_removepass

An apache module designed to remove the Authorization header from incoming requests.

Why?

Many companies keep their administrative web-apps behind an apache reverse proxy which performs some sort of authentication (such as LDAP). Unfortunately, this typically results in every user's password being passed directly to each and every back-end web-app. A compromised administrative web-app could potentially harvest these passwords for malicious means.

When this module is installed, the Authorization header (containing a user's password) is processed just after the apache authentication layer. The password is replaced with garbage, so it cannot be seen by any back-end apps, but the username is left intact (so the app can know what user is currently logged in).

Limitations

This module does nothing to improve your network security. As LDAP credentials for apache are typically transmitted in plain-text, your authentication proxy should ALWAYS operate over HTTPS exclusively.

Easy Installation

• Download mod_removepass.so from the github downloads, and place in your httpd/modules folder.

Compilation from Source

• Pull mod_removepass.c from the source repo

• From the root of your httpd install, run

    bin/apxs -i -c mod_removepass.c
  

• mod_removepass.so should be installed into your httpd/modules folder

Configuration

In httpd.conf:

• Enable the module with

    LoadModule removepass_module modules/mod_removepass.so
  

• For any applications which specifically require access to the authentication password, the module can be disabled in the configuration of a specific vhost or path:

    <IfModule mod_removepass.c>
      DoNotStripPassword 1
    </IfModule>
  

Known Issues

• There have been some reports of auto-generated Apache directory indexes returning empty when the password is being stripped. If this is an issue, set DoNotStripPassword on the path, and the indexes should re-appear.