Re: [users@httpd] authenticating reverse proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11.44 08/04/2005 -0400, Brian Hughes '89 wrote:
...
I have made initial experiments using RequestHeader (from mod-headers) to propagate the info. But I currently don't manage to access the REMOTE_USER environment variable on the proxy (RequestHeader add PropagatedRemoteUser "%{REMOTE_USER}e" fails to propagate any value). Also, I don't know whether it is possible to use mod-headers on the "protected" httpd (assuming it is Apache) to copy this propagated value to REMOTE_USER. But probably there are better approaches in the first place.

Actually, I'd say that you've hit upon the "right way" to pass the authenticated information back to the application, through the proxy. However, you don't show us how you are actually doing the proxy hand-off. This can make a big difference as to what does and doesn't get passed.

Actually I did use ProxyPass:

<Location /bud>
Allow from all
ProxyPass http://www.gol.grosseto.it/cgi-bin/test-env
ProxyPassReverse http://www.gol.grosseto.it/cgi-bin/test-env
AuthType Basic
AuthName "budRealm"
AuthUserFile /var/www/budPwd
Require user bud ezio
RequestHeader add Remote_User "%{REMOTE_USER}e"
</Location>

Here's a snippet from the ssl.conf file on one of my web app servers. I'm using Apache to proxy/terminate the SSL, do client cert authentication and pass the authentication info back to application via reverse-proxy. The key thing here is using Rewrite engine for the proxy, not ProxyPass...

thanks for the conf snipplet.  I did some tests and it just works.

Why is there such a difference between mod-rewrite and mod-proxy? I thought that mod-rewrite was using mod-proxy to do its work..

Also, why is the env variable REMOTE_USER not directly available to mod-headers?

So now (thanks to your help!) I manage to propagate the user info. Any suggestions how to fake basic authentication on the application server? Can I simply use RequestHeader add REMOTE_USER for this?

many thanks!

-b


-----------------------

<Location /foo>
    RewriteEngine on

    # Get the SSL client cert data, if present,  and store in a temporary
    # environment variable after we select it a RewriteCond backref.
    # Then that env var an HTTP  header for the proxy request
    RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
    RewriteRule .* - [E=SSLC_ON:%1]
    RequestHeader add X-SSL-Client-On %{SSLC_ON}e

    # Do the same with the SSL client's authenticated name
    RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
    RewriteRule .* - [E=SSLC_NAME:%1]
    RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e

    # Special conditional for when the incoming request has a query string.
    # Store the query string in a RewriteCond back-reference, so we can add
    # it into the proxy HTTP request
    RewriteCond %{QUERY_STRING} (.+)
    RewriteRule (foo.*) http://127.0.0.1:8080/$1?%1 [P,L]

    # Standard proxy request, for when there's no query string in the URL
    RewriteRule (foo.*) http://127.0.0.1:8080/$1 [P,L]
</Location>

-----------------------

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


-------------------------------------------------------------------------------------------------
Ing. Bud P. Bruegger, Ph.D. +39-0564-488577 (voice), -21139 (fax)
Servizio Elaborazione Dati                    e-mail:  bud@xxxxxxxxxxxxxxxxxx
Comune di Grosseto http://www.comune.grosseto.it/cie/ Via Ginori, 43 http://OpenPortalGuard.sf.net
58100 Grosseto (Tuscany, Italy)           jabber:  bud@xxxxxxxxxxxxx

Free Software in Public Administration:  not just a good idea, but a necessity

Perfection is attained, not when there is nothing more to be added, but when there is nothing more to be taken away -- Antoine de Saint-Exupery

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux