Hi André,
Thank you very much for your time and explanation. For what it's
worth, I have tried inserting a RewriteCond to make sure the proxy
only occurs when REMOTE_USER is set. This cleaned up the rewrite.log
file a bit, but the script is still not able to see REMOTE_USER. Here
is our updated configuration and rewrite.log.
------
######
# GlassFish proxy
ProxyPreserveHost on
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9
RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1
[P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "kerberos authentication"
Satisfy any
require valid-user
</Location>
------
... [rid#8e23fc0/initial] (2) init rewrite engine with requested uri /
test/remote.cgi
... [rid#8e23fc0/initial] (3) applying pattern '^/test$' to uri '/test/
remote.cgi'
... [rid#8e23fc0/initial] (3) applying pattern '^/test/(.*)' to uri '/
test/remote.cgi'
... [rid#8e23fc0/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8e38648/subreq] (2) init rewrite engine with requested uri /
test/remote.cgi
... [rid#8e38648/subreq] (1) pass through /test/remote.cgi
... [rid#8e23fc0/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=dab66
... [rid#8e23fc0/initial] (5) setting env variable 'REMOTE_USER' to
'dab66'
... [rid#8e23fc0/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8e23fc0/initial] (1) go-ahead with proxy request proxy:http://
localhost/cgi-bin/test/remote.cgi [OK]
------
Our end goal is to proxy from the Apache server to a GlassFish
Enterprise Server. Just for reference, here is the rewrite.log for a
request that's proxied to a GlassFish Web Application.
------
... [rid#8e23fc8/initial] (2) init rewrite engine with requested uri /
HelloWeb/UserServlet
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb$' to uri '/
HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb/(.*)' to
uri '/HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (2) rewrite /HelloWeb/UserServlet ->
http://localhost:38080/HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (2) init rewrite engine with requested uri /
HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (1) pass through /HelloWeb/UserServlet
... [rid#8e23fc8/initial] (5) lookahead: path=/HelloWeb/UserServlet
var=REMOTE_USER -> val=dab66
... [rid#8e23fc8/initial] (5) setting env variable 'REMOTE_USER' to
'dab66'
... [rid#8e23fc8/initial] (2) forcing proxy-throughput with
http://localhost:38080/HelloWeb/UserServlet
... [rid#8e23fc8/initial] (1) go-ahead with proxy request proxy:http://
localhost:38080/HelloWeb/UserServlet [OK]
------
Any suggestions would be greatly appreciated.
Thank you again,
Devin
On Oct 28, 2009, at 11:15 AM, André Warnier wrote:
Devin Bougie wrote:
...
Hi.
I'll give you my interpretation, after looking at the log, not
really at the configuration.
I think the confusion may be about when and where, things happen
exactly. And it is not really helped by your choice to proxy from
your server to itself..
If you examine the log below, you will see different/distinct
requests, identified by their respective "rid" number.
The first is the request rid#8aa28f8 that comes in originally, on
your "first" server (before the proxying occurs).
That one does the proxying before your <Location /test> is even
invoked (in my opinion). So at that point, the authentication has
not even happened, and REMOTE_USER is undefined or empty.
That request, you then proxy to your "second" server.
Now the proxied request comes in to your "second" server. That is
request rid#8aa8908. That one starts without a REMOTE_USER (see
above), but then goes through the <Location> section, where it
acquires an id.
But by then it is too late for proxying..
It would all probably be clearer if you set this up in two distinct
VirtualHosts, and proxied from the first to the second.
Another thing, is that Apache "environment variables", are kind of
"virtual", in the sense that they exist inside of Apache, for the
duration of one request.
When you proxy something to another server, this is a new request,
and this other server does not magically inherit the environment of
your first request in the first server.
To pass it on, you would have to set it in a header which you pass
to the second server. But then, you must have a value to pass, by
the time you create the header.
Which does not seem to be the case here.
Hope that is clear.
As for me, I think I need a cup of coffee now.
------
######
# GlassFish proxy
ProxyPreserveHost on
RewriteEngine on
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9
RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1
[P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "kerberos authentication"
Satisfy any
require valid-user
</Location>
------
And here is what I see in rewrite.log. REMOTE_USER is eventually
set properly, just not soon enough for the script.
------
... [rid#8aa28f8/initial] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa28f8/initial] (3) applying pattern '^/test$' to uri '/
test/remote.cgi'
... [rid#8aa28f8/initial] (3) applying pattern '^/test/(.*)' to uri
'/test/remote.cgi'
... [rid#8aa28f8/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa4900/subreq] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa4900/subreq] (1) pass through /test/remote.cgi
... [rid#8aa28f8/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=
... [rid#8aa28f8/initial] (5) setting env variable 'REMOTE_USER' to
''
... [rid#8aa28f8/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa28f8/initial] (1) go-ahead with proxy request
proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
... [rid#8aa8908/initial] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa8908/initial] (3) applying pattern '^/test$' to uri '/
test/remote.cgi'
... [rid#8aa8908/initial] (3) applying pattern '^/test/(.*)' to uri
'/test/remote.cgi'
... [rid#8aa8908/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8abcf90/subreq] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8abcf90/subreq] (1) pass through /test/remote.cgi
... [rid#8aa8908/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=dab66
... [rid#8aa8908/initial] (5) setting env variable 'REMOTE_USER' to
'dab66'
... [rid#8aa8908/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa8908/initial] (1) go-ahead with proxy request
proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------
Any suggestions would be greatly appreciated. Please let me know
if there is any more information I can provide.
Many thanks,
Devin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org