Sending the authenticated username from a child proxy to a parent proxy in a proxy chain deployment.

book

Article ID: 166895

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In a proxy chain deployment, the username of the authenticated user from a child proxy is not visible on the parent proxy. As a result, policy rules (such as bandwidth management or simple allow/deny rules) based on the  username are not implemented by default.

Resolution

To perform username base policy on the parent proxy, the child proxy requires a custom header.
The following custom header example, called "username" contains the username of an authenticated user on the child proxy when forwarding the request to the parent proxy.

On Child Proxy
<Proxy>
    action.ControlRequestHeader1(yes)

define action ControlRequestHeader1
    set(request.x_header.username, "$(user.name)")
end action ControlRequestHeader1

 

On Parent Proxy
; Example of a rule to perform bandwidth management on the Parent Proxy utilizing the header sent by the Child Proxy
<Proxy>
request.header.username="administrator" limit_bandwidth.server.inbound(test)

; The following is required to strip off the username before the parent Proxy sends out the request to the OCS.

<Proxy>
    action.ControlRequestHeader1(yes)  

define action ControlRequestHeader1
    delete(request.x_header.username)
end action ControlRequestHeader1