I have tried a different approach by moving the RewriteRules into the
Location directive. With this configuration, the HTTP_REMOTE_USER
variable is set and visible by the backend script and application.
However, REMOTE_USER is still blank. Here is the alternate
configuration:
------
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "W4restrict"
KrbDefaultInstance net
Satisfy any
require valid-user
RewriteEngine on
RewriteCond %{REMOTE_USER} (.+)
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{REMOTE_USER}e
RewriteRule ^/var/www/html/test/(.*) http://localhost/cgi-bin/test/$1
[P,L,E=REMOTE_USER:%{REMOTE_USER}]
</Location>
------
And here is what we see in rewrite.log:
------
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (3) [per-dir /test/] add path info postfix: /var/www/html/test -> /
var/www/html/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (3) [per-dir /test/] applying pattern '^/var/www/html/test/(.*)' to
uri '/var/www/html/test/remote.cgi'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (4) RewriteCond: input='dab66' pattern='(.+)' => matched
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (2) [per-dir /test/] rewrite /var/www/html/test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (5) setting env variable 'REMOTE_USER' to 'dab66'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (2) [per-dir /test/] forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial
] (1) [per-dir /test/] go-ahead with proxy request proxy:http://
localhost/cgi-bin/test/remote.cgi [OK]
------
Any suggestions for passing REMOTE_USER through an Apache proxy would
be greatly appreciated.
Many Thanks,
Devin
On Oct 28, 2009, at 4:03 PM, Devin Bougie wrote:
... For what it's worth, I have tried inserting a RewriteCond to
make sure the proxy only occurs when REMOTE_USER is set. This
cleaned up the rewrite.log file a bit, but the script is still not
able to see REMOTE_USER. Here is our updated configuration and
rewrite.log.
------
######
# GlassFish proxy
ProxyPreserveHost on
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9
RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1
[P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "kerberos authentication"
Satisfy any
require valid-user
</Location>
------
... [rid#8e23fc0/initial] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8e23fc0/initial] (3) applying pattern '^/test$' to uri '/
test/remote.cgi'
... [rid#8e23fc0/initial] (3) applying pattern '^/test/(.*)' to uri
'/test/remote.cgi'
... [rid#8e23fc0/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8e38648/subreq] (2) init rewrite engine with requested uri /
test/remote.cgi
... [rid#8e38648/subreq] (1) pass through /test/remote.cgi
... [rid#8e23fc0/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=dab66
... [rid#8e23fc0/initial] (5) setting env variable 'REMOTE_USER' to
'dab66'
... [rid#8e23fc0/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8e23fc0/initial] (1) go-ahead with proxy request
proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------
Our end goal is to proxy from the Apache server to a GlassFish
Enterprise Server. Just for reference, here is the rewrite.log for
a request that's proxied to a GlassFish Web Application.
------
... [rid#8e23fc8/initial] (2) init rewrite engine with requested
uri /HelloWeb/UserServlet
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb$' to uri
'/HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (3) applying pattern '^/HelloWeb/(.*)' to
uri '/HelloWeb/UserServlet'
... [rid#8e23fc8/initial] (2) rewrite /HelloWeb/UserServlet ->
http://localhost:38080/HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (2) init rewrite engine with requested uri /
HelloWeb/UserServlet
... [rid#8e1ffb8/subreq] (1) pass through /HelloWeb/UserServlet
... [rid#8e23fc8/initial] (5) lookahead: path=/HelloWeb/UserServlet
var=REMOTE_USER -> val=dab66
... [rid#8e23fc8/initial] (5) setting env variable 'REMOTE_USER' to
'dab66'
... [rid#8e23fc8/initial] (2) forcing proxy-throughput with
http://localhost:38080/HelloWeb/UserServlet
... [rid#8e23fc8/initial] (1) go-ahead with proxy request
proxy:http://localhost:38080/HelloWeb/UserServlet [OK]
------
Any suggestions would be greatly appreciated.
Thank you again,
Devin
On Oct 28, 2009, at 11:15 AM, André Warnier wrote:
Devin Bougie wrote:
...
Hi.
I'll give you my interpretation, after looking at the log, not
really at the configuration.
I think the confusion may be about when and where, things happen
exactly. And it is not really helped by your choice to proxy from
your server to itself..
If you examine the log below, you will see different/distinct
requests, identified by their respective "rid" number.
The first is the request rid#8aa28f8 that comes in originally, on
your "first" server (before the proxying occurs).
That one does the proxying before your <Location /test> is even
invoked (in my opinion). So at that point, the authentication has
not even happened, and REMOTE_USER is undefined or empty.
That request, you then proxy to your "second" server.
Now the proxied request comes in to your "second" server. That is
request rid#8aa8908. That one starts without a REMOTE_USER (see
above), but then goes through the <Location> section, where it
acquires an id.
But by then it is too late for proxying..
It would all probably be clearer if you set this up in two distinct
VirtualHosts, and proxied from the first to the second.
Another thing, is that Apache "environment variables", are kind of
"virtual", in the sense that they exist inside of Apache, for the
duration of one request.
When you proxy something to another server, this is a new request,
and this other server does not magically inherit the environment of
your first request in the first server.
To pass it on, you would have to set it in a header which you pass
to the second server. But then, you must have a value to pass, by
the time you create the header.
Which does not seem to be the case here.
Hope that is clear.
As for me, I think I need a cup of coffee now.
------
######
# GlassFish proxy
ProxyPreserveHost on
RewriteEngine on
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 9
RequestHeader Set Proxy-keysize 512
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
RewriteRule ^/test$ /test/ [R,L]
RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1
[P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "kerberos authentication"
Satisfy any
require valid-user
</Location>
------
And here is what I see in rewrite.log. REMOTE_USER is eventually
set properly, just not soon enough for the script.
------
... [rid#8aa28f8/initial] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa28f8/initial] (3) applying pattern '^/test$' to uri '/
test/remote.cgi'
... [rid#8aa28f8/initial] (3) applying pattern '^/test/(.*)' to
uri '/test/remote.cgi'
... [rid#8aa28f8/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa4900/subreq] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa4900/subreq] (1) pass through /test/remote.cgi
... [rid#8aa28f8/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=
... [rid#8aa28f8/initial] (5) setting env variable 'REMOTE_USER'
to ''
... [rid#8aa28f8/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa28f8/initial] (1) go-ahead with proxy request
proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
... [rid#8aa8908/initial] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8aa8908/initial] (3) applying pattern '^/test$' to uri '/
test/remote.cgi'
... [rid#8aa8908/initial] (3) applying pattern '^/test/(.*)' to
uri '/test/remote.cgi'
... [rid#8aa8908/initial] (2) rewrite /test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
... [rid#8abcf90/subreq] (2) init rewrite engine with requested
uri /test/remote.cgi
... [rid#8abcf90/subreq] (1) pass through /test/remote.cgi
... [rid#8aa8908/initial] (5) lookahead: path=/test/remote.cgi
var=REMOTE_USER -> val=dab66
... [rid#8aa8908/initial] (5) setting env variable 'REMOTE_USER'
to 'dab66'
... [rid#8aa8908/initial] (2) forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
... [rid#8aa8908/initial] (1) go-ahead with proxy request
proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------
Any suggestions would be greatly appreciated. Please let me know
if there is any more information I can provide.
Many thanks,
Devin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
