Hi all
httpd 2.2.11, prefork MPM, FreeBSD 7.2
I'm trying to pass the REMOTE_USER variable, as determined by the
reverse proxy, to a backend application server. The main reason to do
this is to offload authnz to the proxy, and to keep all this centralised
in one place. The authn module that will actually be providing the
REMOTE_USER is a custom SAML single sign on auth module (hence the wish
for centralising it), but for my testing, I am just using basic auth.
When I STFW, I found this blog post[1] describing how to achieve this,
but implementing it did not seem to work. Here is the sample vhost I am
attempting to use it with:
<VirtualHost *:80>
ServerName strangepork
DocumentRoot /usr/local/www/htdocs
<Directory /usr/local/www/htdocs>
Order allow,deny
Allow from all
</Directory>
<Location />
AuthType Basic
AuthName "Restricted"
AuthUserFile /usr/local/etc/apache22/passwords
Require valid-user
</Location>
RewriteEngine on
RewriteLog /var/log/httpd-rewrite.log
RewriteLogLevel 5
RewriteCond %{LA-U:REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
RequestHeader set X-UserID %{X_REMOTE_USER}e
ProxyPass / http://strangepork:1080/
</VirtualHost>
Here is the pertinent part of the rewrite log (I've trimmed a lot of the
fields, but they aren't interesting I don't think):
[rid#8264058/initial] (2) init rewrite engine with requested uri /
[rid#8264058/initial] (3) applying pattern '.*' to uri '/'
[rid#8268058/subreq] (2) init rewrite engine with requested uri /
[rid#8268058/subreq] (3) applying pattern '.*' to uri '/'
[rid#8268058/subreq] (4) RewriteCond: input='' pattern='(.*)' => matched
[rid#8268058/subreq] (5) setting env variable 'X_REMOTE_USER' to ''
[rid#8268058/subreq] (1) pass through /
[rid#8264058/initial] (5) lookahead: path=/ var=REMOTE_USER -> val=
[rid#8264058/initial] (4) RewriteCond: input='' pattern='(.*)' => matched
[rid#8264058/initial] (5) setting env variable 'X_REMOTE_USER' to ''
[rid#8264058/initial] (1) pass through /
The user is definitely authenticated, as the access log shows:
10.0.11.202 - tom [07/Jul/2009:14:13:38 +0100] "GET / HTTP/1.1" 200 3
"-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.9.0.10)
Gecko/2009050702 Firefox/3.0.10"
Any thoughts?
Cheers
Tom
[1] http://agilewebdevelopment.com/plugins/authenticate_as_remote_user
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
