Howto add additional header to CONNECT of ProxyRemote?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

we have some badly designed external software which we have to get working.
This software provides a proxy which extracts a userid out of a header field in the CONNECT and uses it for creating a SAML Token for further requests. This legacy-proxy is running locally on a server.
At client side we have NTLM and Kerberos authentication and I now have the opportunity to connect these two worlds:
Do a proxy authentication and set the userid as header in CONNECT to the legacy-proxy.
Calling is: browser --> apache-FW-Proxy --> legacy-Proxy --> external service
So I set up a Forward Proxy using Apache 2.4.6, mod_auth_ntlm, mod_auth_kerberos, mod_ssl etc.
I achieved to do the authentication stuff in apache and forward the request to the external proxy.
The one thing I am missing is how to set the userid as additional header in the CONNECT-Response to the external proxy.
It seems that the RequestHeader-directive is not applied to the CONNECT but only to reverse proxy requests.
What can I do to add an additional header in the CONNECT done by the ProxyRemote-directive. 

Regards Michael

Here is the actual config:


LoadModule ssl_module modules/mod_ssl.so

Listen 0.0.0.0:8899
<VirtualHost *:8899>
        ProxyPreserveHost On
        ServerAdmin XXXXXXX
        ServerName XXXXXX
        ErrorLog /var/log/httpd/ssl-error.log
        CustomLog /var/log/httpd/ssl-access.log combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature On

        SSLEngine off

        TransferLog logs/ssl_transfer_log
        SSLCertificateFile /etc/httpd/ssl/server.cert
        SSLCertificateKeyFile /etc/httpd/ssl/server.key
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP 

        SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
        Options +FollowSymLinks

        <Proxy>
            AuthType NTLM,Kerberos

            # NTLM authentication
            AuthName "NTLM Authentication thingy"
            NTLMAuth on
            NegotiateAuth on
            NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"             NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" 
            NTLMBasicAuthoritative on
            AuthType Negotiate

            # Kerberos authentication
            AuthName "Kerberos"
            Krb5Keytab /etc/httpd/ssl/server.keytab
            KrbAuthRealms XXXXXXX
            KrbServiceName HTTP

            require valid-user

            ProxyAddHeaders On

            # handle user and set to header
            RewriteEngine On
            RewriteCond %{LA-U:REMOTE_USER} (.+)$
            RewriteRule . - [E=REMOTE_USER:%1,NS]
            # set the header vu-nutzeralias to the authenticated userid without domain 
            RequestHeader set vu-nutzeralias %{REMOTE_USER}e
            # remove kerberos domain
            RequestHeader edit vu-nutzeralias @XXXX ""
            # remove NTLM domain
            RequestHeader edit vu-nutzeralias "XXXX\x{005C}\x{005C}" ""

            # non authenticated
            RewriteCond %{REMOTE_USER} ^$
            RewriteRule . - [R=407]

        </Proxy>

        # forward to external proxy
        ProxyRequests On
        ProxyVia On
        SSLProxyEngine On
        ProxyRemote "*" https://127.0.0.1:8888
 </VirtualHost>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux