Re: Passing Authentication or REMOTE_USER from One Apache Server to Another

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jan 22, 2014 at 11:16 PM, Kevin Behr <behrk2@xxxxxxxxx> wrote:
> Hi there,
>
> I have two separate web applications, each on a different Apache (2.2)
> server.  A user first authenticates on Server A (either by Basic HTTP or
> LDAP) and gains access to the web application.  At some point, the user has
> the option to launch the second web application on Server B.
>
> The second web application requires REMOTE_USER to be set; it will not start
> without it.  Therefore, I need the REMOTE_USER from Server A to be passed to
> Server B.
>
> I have explored two avenues:
>
> Set-up a proxy using mod_proxy_http and leverage the proxy-chain-auth
> environment variable.
>
> Passing REMOTE_USER via mod_rewrite and RewriteCond.
>
> Am I headed down the right track?  What is the typical way of handling this
> situation?
>
> I have tried the following httpd.conf configuration on Server A, but it
> fails to retrieve any REMOTE_USER (which I am accessing via PHP):
>
> ProxyPass /test http://ServerB/
> ProxyPassReverse /test http://ServerB/
> SetEnv Proxy-Chain-Auth On
>
> I would appreciate any help!


I went down this rabbit hole a couple of months ago - I have at the
edge of my network an apache 2.4 server, which acts as an SSL proxy to
internal servers, mainly apache 2.2. All SSL clients are authenticated
on the front end proxy using client certificates, but I needed a way
to pass that information back to the other servers so that they can do
authorization.

I looked at the mod_rewrite route, mod_rewrite has no way to set r->user.

I looked at porxy-chain-auth, this didn't seem to do what I needed either.

In the end I wrote a trivial 80 line apache module for the backend
servers that extracts a specified header and sets r->user (attached).
This is obviously as insecure as it sounds! I get away with it since
all requests go through the front end proxy, which makes sure to scrub
the header from any incoming requests.

Cheers

Tom

PS: installing your own module is pretty trivial, simply grab the file and run

apxs -i -a -c mod_trusted_auth_header.c

on your server B, and then add to server B's httpd.conf

TrustedAuthHeaderName "X-User"

Obviously, you also need to set that header on the front end proxy, I use this:

RequestHeader unset "X-User"
RequestHeader set "X-User" %{SSL_CLIENT_S_DN_Email}s

/* 
**  mod_trusted_auth_header.c -- Apache sample trusted_auth_header module
*/ 

#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"
#include "ap_config.h"
#include "apr_strings.h"

module trusted_auth_header_module;

typedef struct {
    const char* header_name;
} trusted_auth_header_cfg;

static void*
create_trusted_auth_svr_conf(apr_pool_t* pool, server_rec* svr)
{
    trusted_auth_header_cfg* svr_cfg = apr_pcalloc(pool,
            sizeof(trusted_auth_header_cfg));
    return svr_cfg;
}

const char*
trusted_auth_header_name_func(cmd_parms* cmd, void* cfg, const char* arg)
{
    trusted_auth_header_cfg* mod_cfg = ap_get_module_config(
            cmd->server->module_config, &trusted_auth_header_module);
    if (arg)
    {
        mod_cfg->header_name = apr_pstrdup(cmd->pool, arg);
    }
    return NULL;
}

int
trusted_auth_header_access_checker(request_rec *r)
{
    trusted_auth_header_cfg* mod_cfg = ap_get_module_config(
            r->server->module_config, &trusted_auth_header_module);
    char* user;

    if (mod_cfg->header_name)
    {
        user = (char *)apr_table_get(r->headers_in, mod_cfg->header_name);
        if (user)
        {
            r->user = apr_pstrdup(r->pool, user);
        }
    }

    return DECLINED;
}

static const command_rec trusted_auth_header_cmds[] =
{
    AP_INIT_TAKE1("TrustedAuthHeaderName", trusted_auth_header_name_func, NULL,
            RSRC_CONF, "The header name to extract the username from"),
    {NULL}
};


static void trusted_auth_header_register_hooks(apr_pool_t *p)
{
    ap_hook_access_checker(trusted_auth_header_access_checker,
            NULL, NULL, APR_HOOK_MIDDLE);
}

/* Dispatch list for API hooks */
module AP_MODULE_DECLARE_DATA trusted_auth_header_module = {
    STANDARD20_MODULE_STUFF, 
    NULL,                  /* create per-dir    config structures */
    NULL,                  /* merge  per-dir    config structures */
    create_trusted_auth_svr_conf, /* create per-server config structures */
    NULL,                  /* merge  per-server config structures */
    trusted_auth_header_cmds, /* table of config file commands */
    trusted_auth_header_register_hooks  /* register hooks  */
};


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux