Passing REMOTE_USER from reverse proxy to app server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all

httpd 2.2.11, prefork MPM, FreeBSD 7.2

I'm trying to pass the REMOTE_USER variable, as determined by the
reverse proxy, to a backend application server. The main reason to do
this is to offload authnz to the proxy, and to keep all this centralised
in one place. The authn module that will actually be providing the
REMOTE_USER is a custom SAML single sign on auth module (hence the wish
for centralising it), but for my testing, I am just using basic auth.

When I STFW, I found this blog post[1] describing how to achieve this,
but implementing it did not seem to work. Here is the sample vhost I am
attempting to use it with:

<VirtualHost *:80>
  ServerName strangepork
  DocumentRoot /usr/local/www/htdocs

  <Directory /usr/local/www/htdocs>
    Order allow,deny
    Allow from all
  </Directory> 
    
  <Location />
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /usr/local/etc/apache22/passwords
    Require valid-user
  </Location>

  RewriteEngine on
  RewriteLog /var/log/httpd-rewrite.log
  RewriteLogLevel 5

  RewriteCond %{LA-U:REMOTE_USER} (.*)
  RewriteRule .* - [E=X_REMOTE_USER:%1]

  RequestHeader set X-UserID %{X_REMOTE_USER}e
  ProxyPass / http://strangepork:1080/
</VirtualHost>


Here is the pertinent part of the rewrite log (I've trimmed a lot of the
fields, but they aren't interesting I don't think):

[rid#8264058/initial] (2) init rewrite engine with requested uri /
[rid#8264058/initial] (3) applying pattern '.*' to uri '/'
[rid#8268058/subreq] (2) init rewrite engine with requested uri /
[rid#8268058/subreq] (3) applying pattern '.*' to uri '/'
[rid#8268058/subreq] (4) RewriteCond: input='' pattern='(.*)' => matched
[rid#8268058/subreq] (5) setting env variable 'X_REMOTE_USER' to ''
[rid#8268058/subreq] (1) pass through /
[rid#8264058/initial] (5) lookahead: path=/ var=REMOTE_USER -> val=
[rid#8264058/initial] (4) RewriteCond: input='' pattern='(.*)' => matched
[rid#8264058/initial] (5) setting env variable 'X_REMOTE_USER' to ''
[rid#8264058/initial] (1) pass through /

The user is definitely authenticated, as the access log shows:

10.0.11.202 - tom [07/Jul/2009:14:13:38 +0100] "GET / HTTP/1.1" 200 3
"-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.9.0.10)
Gecko/2009050702 Firefox/3.0.10"

Any thoughts? 

Cheers

Tom

[1] http://agilewebdevelopment.com/plugins/authenticate_as_remote_user


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux