add support for proxy authorization header to pmapi service

[martin2176]

Is there a way to enhance security for vector connecting to pmwebd?

going by "man pmwebd : section Security"--> restrict access to pmwebd by an Apache http proxy with authentication.
Could vector handle the authentication requested by a proxy in such cases

regards

[spiermar]

@martin2176 Simple HTTP authentication?

[fche]

https://tools.ietf.org/html/rfc7235#section-4.3 probably

[spiermar]

HTTP header based, should be simple. I see that as an extra input in the expanded hostname area. Probably a flag to enable and disable it.

[martin2176]

[martin2176]

The above pic is what I have in mind.
The authentication is to enable vector be able to communicate with pmwebd using proxy in between.

[spiermar]

That's a bit different from what I had in mind. I was thinking about having a single pmwebd running, with the proxy in front of it, and use the hostspec to connect to the "secured" instances running PMCD.

Thoughts @fche @natoscott ?

[martin2176]

Something like this?

[spiermar]

Something like that I think.

"How to secure this?" Depends on the level of security you're talking about, but the iptables blocking could be applied in this scenario too.

[martin2176]

1. other than iptables, I cant think of anything which would safely expose pmcd's PMAPI to pmwebd.
   any other suggestions pls do let me know
2. For client browser to pmwebd communication through a proxy, can vector do the "Proxy-Authorization"header to authenticate against the proxy.

[spiermar]

Not right now, but technically should be possible to change the header and include this.

[martin2176]

in which case, would you be able to file this as an RFE.

[spiermar]

Yes