Re: accessing REMOTE_USER through an Apache proxy (Apache Users)

order deny,allow

deny from all

AuthType KerberosV5

AuthName "W4restrict"

KrbDefaultInstance net

Satisfy any

require valid-user

RewriteEngine on

RewriteCond %{REMOTE_USER} (.+)

RequestHeader Set Proxy-ip %{REMOTE_ADDR}e

RequestHeader Set Host ourserver.com:443

RequestHeader set REMOTE_USER %{REMOTE_USER}e

RewriteRule ^/var/www/html/test/(.*) http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{REMOTE_USER}]

</Location>

------

And here is what we see in rewrite.log:

------

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] add path info postfix: /var/www/html/test -> /var/www/html/test/remote.cgi

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] applying pattern '^/var/www/html/test/(.*)' to uri '/var/www/html/test/remote.cgi'

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (4) RewriteCond: input='dab66' pattern='(.+)' => matched

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] rewrite /var/www/html/test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi

192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (1) [per-dir /test/] go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK]

------

Any suggestions for passing REMOTE_USER through an Apache proxy would be greatly appreciated.

Many Thanks,

Devin

On Oct 28, 2009, at 4:03 PM, Devin Bougie wrote:

... For what it's worth, I have tried inserting a RewriteCond to make sure the proxy only occurs when REMOTE_USER is set. This cleaned up the rewrite.log file a bit, but the script is still not able to see REMOTE_USER. Here is our updated configuration and rewrite.log.

------
######
# GlassFish proxy
ProxyPreserveHost       on

RewriteEngine           on
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9

RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e

RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
       order deny,allow
       deny from all
       AuthType KerberosV5
       AuthName "kerberos authentication"
   Satisfy any
       require valid-user
</Location>
------
... [rid#8e23fc0/initial] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8e23fc0/initial] (3) applying pattern '^/test$' to uri '/test/remote.cgi'
... [rid#8e23fc0/initial] (3) applying pattern '^/test/(.*)' to uri '/test/remote.cgi'
... [rid#8e23fc0/initial] (2) rewrite /test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi
... [rid#8e38648/subreq] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8e38648/subreq] (1) pass through /test/remote.cgi
... [rid#8e23fc0/initial] (5) lookahead: path=/test/remote.cgi var=REMOTE_USER -> val=dab66
... [rid#8e23fc0/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
... [rid#8e23fc0/initial] (2) forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi
... [rid#8e23fc0/initial] (1) go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------

Our end goal is to proxy from the Apache server to a GlassFish Enterprise Server. Just for reference, here is the rewrite.log for a request that's proxied to a GlassFish Web Application.
------
... [rid#8e23fc8/initial] (2) init rewrite engine with requested uri /HelloWeb/UserServlet
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb$' to uri '/HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb/(.*)' to uri '/HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (2) rewrite /HelloWeb/UserServlet -> http://localhost:38080/HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (2) init rewrite engine with requested uri /HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (1) pass through /HelloWeb/UserServlet
... [rid#8e23fc8/initial] (5) lookahead: path=/HelloWeb/UserServlet var=REMOTE_USER -> val=dab66
... [rid#8e23fc8/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
... [rid#8e23fc8/initial] (2) forcing proxy-throughput with http://localhost:38080/HelloWeb/UserServlet
... [rid#8e23fc8/initial] (1) go-ahead with proxy request proxy:http://localhost:38080/HelloWeb/UserServlet [OK]
------

Any suggestions would be greatly appreciated.

Thank you again,
Devin

On Oct 28, 2009, at 11:15 AM, André Warnier wrote:

Devin Bougie wrote:
...

Hi.

I'll give you my interpretation, after looking at the log, not really at the configuration.

I think the confusion may be about when and where, things happen exactly. And it is not really helped by your choice to proxy from your server to itself..

If you examine the log below, you will see different/distinct requests, identified by their respective "rid" number.

The first is the request rid#8aa28f8 that comes in originally, on your "first" server (before the proxying occurs).
That one does the proxying before your <Location /test> is even invoked (in my opinion). So at that point, the authentication has not even happened, and REMOTE_USER is undefined or empty.
That request, you then proxy to your "second" server.

Now the proxied request comes in to your "second" server. That is request rid#8aa8908. That one starts without a REMOTE_USER (see above), but then goes through the <Location> section, where it acquires an id.
But by then it is too late for proxying..

It would all probably be clearer if you set this up in two distinct VirtualHosts, and proxied from the first to the second.

Another thing, is that Apache "environment variables", are kind of "virtual", in the sense that they exist inside of Apache, for the duration of one request.
When you proxy something to another server, this is a new request, and this other server does not magically inherit the environment of your first request in the first server.
To pass it on, you would have to set it in a header which you pass to the second server. But then, you must have a value to pass, by the time you create the header.
Which does not seem to be the case here.

Hope that is clear.
As for me, I think I need a cup of coffee now.

------
######
# GlassFish proxy
ProxyPreserveHost       on
RewriteEngine           on
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9
RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
      order deny,allow
      deny from all
      AuthType KerberosV5
      AuthName "kerberos authentication"
      Satisfy any
      require valid-user
</Location>
------
And here is what I see in rewrite.log. REMOTE_USER is eventually set properly, just not soon enough for the script.
------
... [rid#8aa28f8/initial] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8aa28f8/initial] (3) applying pattern '^/test$' to uri '/test/remote.cgi'
... [rid#8aa28f8/initial] (3) applying pattern '^/test/(.*)' to uri '/test/remote.cgi'
... [rid#8aa28f8/initial] (2) rewrite /test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa4900/subreq] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8aa4900/subreq] (1) pass through /test/remote.cgi
... [rid#8aa28f8/initial] (5) lookahead: path=/test/remote.cgi var=REMOTE_USER -> val=
... [rid#8aa28f8/initial] (5) setting env variable 'REMOTE_USER' to ''
... [rid#8aa28f8/initial] (2) forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa28f8/initial] (1) go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
... [rid#8aa8908/initial] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8aa8908/initial] (3) applying pattern '^/test$' to uri '/test/remote.cgi'
... [rid#8aa8908/initial] (3) applying pattern '^/test/(.*)' to uri '/test/remote.cgi'
... [rid#8aa8908/initial] (2) rewrite /test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi
... [rid#8abcf90/subreq] (2) init rewrite engine with requested uri /test/remote.cgi
... [rid#8abcf90/subreq] (1) pass through /test/remote.cgi
... [rid#8aa8908/initial] (5) lookahead: path=/test/remote.cgi var=REMOTE_USER -> val=dab66
... [rid#8aa8908/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
... [rid#8aa8908/initial] (2) forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa8908/initial] (1) go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------
Any suggestions would be greatly appreciated. Please let me know if there is any more information I can provide.
Many thanks,
Devin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
"   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx