Hi-
I've recently migrated from Apache 2.2 to Apache 2.4, and I'm experiencing an issue with mod_rewrite and the REMOTE_USER header.
We use Kerberos to authenticate our users, and we have two Kerberos domains, one for internal connections and one for external connections. All users have an account in both domains, and they'll get authenticated using one of the two servers depending upon where they are connecting from. When a user logs in, Apache will set the REMOTE_USER header to either
or
depending upon which domain they authenticated against. However, our web applications don't want to receive the fully qualified Kerberos usernames, they just want to receive the "user" portion.
In Apache 2.2, we used mod_rewrite to strip everything after the @ sign and set a new REMOTE_USER header. However, Apache 2.4 seems to forbid setting any headers which contain an underscore.
See:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
"Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables in Apache has some pointers on how to work around broken legacy clients which require such headers. (This affects all modules which use these environment variables.)"
Is there any way to work around this?
This is the code that works fine in Apache 2.2:
RewriteEngine On
RewriteCond %{REMOTE_USER} ([a-z]+)@.*
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
If I use the above code in Apache 2.4, the header doesn't get set, and I get errors in the logs like:
[core:trace1] [pid 11676] util_script.c(78): [client XXXXXXXX:50291] Not exporting header with invalid name as envvar: _USER
Any suggestions?
Thanks!
