I am trying to convert an existing Apache + FastCGI configuration to
use Apache's mod_proxy and the ProxyPass directive as a reverse proxy
for Mongrel (a little Ruby HTTP application server). I am also using
mod_auth_sspi for authentication. This is in a Windows corporate
environment, running Apache 2.2.3 on Windows Server 2003.
The new proxy configuration works fine, but I need a way to get the
value of the REMOTE_USER variable to my application (previously it was
sent via CGI). Most of the resources and old posts I've found online
suggest using RequestHeader to insert a header with the value of
REMOTE_USER. When I try this, however, I get "(null)" as the value of
REMOTE_USER.
Apache's access.log contains the correct username, so I know
mod_auth_sspi is working. Also, if I remove the ProxyPass directive
and let Apache run the app with CGI directly, the CGI environment's
REMOTE_USER contains the correct value. As soon as I introduce
mod_proxy to the mix, I can't get a useful value out of REMOTE_USER no
matter what I try.
My research so far has led me to suspect that some sort of internal
redirect is happening that causes the REMOTE_USER value to not be set
when the proxied request is sent to Mongrel. What exactly happens
internally when ProxyPass is triggered? How can I send the correct
value of REMOTE_USER to my application?
I have tried innumerable permutations of this Apache config; here's
the way it currently sits (with some names changed to protect the
guilty).
<VirtualHost *>
ServerName apache.host
DocumentRoot D:/work/Gregor-test/public
# value of BLAH header when it gets to Mongrel is "(null)"
RequestHeader set BLAH %{REMOTE_USER}e
# don't proxy static content
ProxyPass /favicon.ico !
ProxyPass /iepngfix !
ProxyPass /images !
ProxyPass /javascripts !
ProxyPass /jscalendar !
ProxyPass /stylesheets !
# proxy requests through mongrel
ProxyPass / http://mongrel.host:8001/
ProxyPassReverse / http://mongrel.host:8001/
ProxyPreserveHost on
# allow access to the public directory
<Directory "D:/work/Gregor-test/public">
Options Indexes FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# authorization applies to anything going through the proxy server
# (i.e. don't authenticate the static content explicitly excluded above)
<Proxy *>
AuthName "MAD Gregor"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain "MYDOMAIN"
SSPIOfferBasic Off
SSPIOmitDomain On
require valid-user
</Proxy>
</VirtualHost>
Thanks,
- Will
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|