On November 5, 2012 10:24 , Martin Drescher <drescher@xxxxxxxx> wrote:
On 05/11/12 14:35, Mark Montague wrote:On November 5, 2012 6:32 , Martin Drescher <drescher@xxxxxxxx> wrote:> I would like to set the REMOTE_USER environment to the value of > %{HTTP_SSL_CLIENT_S_DN_CN}. SSLUserName SSL_CLIENT_S_DN_CNClose, but no cigar: In fact, I do not use SSL at this distinct host
Then you might want to include that in your original question in order to get a better answer. Your original RewriteCond statement was checking the value of an SSL environment variable. But if you are not using SSL on the virtual host in question, then this environment variable will not be set and the RewriteCond will always evaluate to "false".
But I run a reverse proxy using ProxyPass which terminates the SSL at it's world device and then forwards a Nagios host in that case. Nagios is happy with the REMOTE_USER environment set for access control. I checked this setting REMOTE_USER using the SetEnv syntax. Unfortunately this does not take a variable as argument. So I set a HTTP request header (SSL_CLIENT_S_DN_CN) in the reverse proxy and try to copy that to REMOTE_USER. To avoid any conflicts with the mod_ssl I also tried to set a X-Forwarded-SSL_CLIENT_S_DN_CN and used that with SSLUserName: REMOTE_USER is not set.
Having the front-end server set an HTTP request header for the back-end server is the correct solution. You would then normally configure your web application to retrieve the user's identity from this new header rather than from the REMOTE_USER environment variable. I don't know, but I suspect that you may run into difficulties trying to set REMOTE_USER yourself via Apache HTTP Server directives since the REMOTE_USER environment variable gets set automatically based on the r->user field of the request structure (maybe someone else who knows more can confirm or refute whether this overwriting happens).
If you cannot configure your web application to retrieve the user's identity from the value of the header you set, and if this is important enough to deal with a third party module and you're willing to do special work to get this operating right and support it in the long term on your servers (troubleshoot issues, port the module code to Apache HTTP Server 2.4 when needed, and so on), then take a look at https://github.com/aimxhaisse/mod-proxy-add-user
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|