Dynamically configured reverse proxy with HTTP auth using LDAP user attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey there,

I'd like to setup a dynamically configured reverse proxy with HTTP
auth. The requests shall be proxied to different backends with the
decision being based upon a certain LDAP user attribute.

I've setup Apache like this:

--8<--
##
## LDAP attributes:
## - user name attribute: mail (mail address)
## - user backend attribute: ldapUserBackend (contains a number),
##   gets exported as AUTHENTICATE_ldapUserBackend by mod_authnz_ldap
##

## log the variables used
LogFormat "%t; ldapUserBackend=%{AUTHENTICATE_ldapUserBackend}e; BACKEND=%{BACKEND}e" ldap
CustomLog logs/ldap_log ldap

<Location />

AuthName "ALL YOUR BASE ARE BELONG TO US"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://1.2.3.4:389/ou=foo,ou=bar,dc=example,dc=com?mail,ldapUserBackend?sub?(objectClass=ldapUser)
AuthzLDAPAuthoritative on
Require valid-user

## 1st try using LDAP environment variable:
## ${AUTHENTICATE_ldapUserBackend} is empty for ProxyPass/ProxyPassReverse
ProxyPassInterpolateEnv On
ProxyPass http://backend-${AUTHENTICATE_ldapUserBackend}:443/ interpolate
ProxyPassReverse http://backend-${AUTHENTICATE_ldapUserBackend}:443/ interpolate

## 2nd try using mod_rewrite to set environment variable:
## ${BACKEND} is empty for ProxyPass/ProxyPassReverse because mod_rewrite
## seems to kick in before the LDAP auth takes place
#RewriteEngine on
#RewriteCond %{ENV:AUTHENTICATE_ldapUserBackend} 2
#RewriteRule ^ - [E=BACKEND:backend-2,L]
#RewriteCond %{ENV:AUTHENTICATE_ldapUserBackend} 3
#RewriteRule ^ - [E=BACKEND:backend-3,L]
#ProxyPassInterpolateEnv On
#ProxyPass http://${BACKEND}:443/ interpolate
#ProxyPassReverse http://${BACKEND}:443/ interpolate

## 3rd try with setting BACKEND using SetEnv or SetEnvIf:
## ${BACKEND} is empty for ProxyPass/ProxyPassReverse
#SetEnv BACKEND backend-2
#SetEnvIf Request_Protocol . BACKEND=backend-2
#ProxyPassInterpolateEnv On
#ProxyPass http://${BACKEND}:443/ interpolate
#ProxyPassReverse http://${BACKEND}:443/ interpolate

</Location>
--8<--

I even had a look at the processing order of the hooks that
are registered by the modules, but I failed to understand it :)
$ SHOW_HOOKS=1 httpd -k start

For now it just seems to me that mod_proxy directives are evaluated
before the mod_authnz_ldap ones are.

Any expert opinions? :-)

TIA,
Wolfram

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux