Server Bug Fix: REMOTE_USER through Apache reverse proxy

Original Source Link

I have an Apache webserver with mod_proxy enabled and a Virtualhost, proxy.domain.com. This proxy is configured to prompt the user for credentials with AuthType Basic. Then, the content of web.domain.com is available through the proxy with ProxyPass and ProxyReverse. However, the REMOTE_USER variable is empty. I read different things to achieve this with mod_rewrite and mod_headers but all my tries have failed. Does anybody has been luckier than me?

Thanks.

This is possible with mod_headers, mod_rewrite, and mod_proxy.

On the proxy, I assume you have your authentication working and setting REMOTE_USER appropriately. If so, then put the value of REMOTE_USER into a Proxy-User header to the backend like this:

RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}] # note mod_rewrite's lookahead option
RequestHeader set Proxy-User %{PROXY_USER}e

Here’s what happens:

  1. The RewriteRule fires for every request and sets the environment variable PROXY_USER equal to the value of REMOTE_USER, which should have been set already by an auth module.
  2. The RequestHeader sets a request header named Proxy-User with the value of PROXY_USER

Now on the backend, you can pull that header value and set REMOTE_USER like this:

RewriteCond %{HTTP:Proxy-user} ^(.*)$
RewriteRule .* - [E=REMOTE_USER:%1]

Here’s what happens:

  1. The RewriteCondition checks the value of the Proxy-User header to see if it matches the pattern ^.*$ (which it will). The parentheses tells mod_rewrite to store that value in %1.
  2. The RewriteRule then sets the environment variable REMOTE_USER with the value in %1.

On apache 2.4, trying to get the env vars produced by mod_authnz_ldap and mod_kerb, this is what worked.

Let’s say you are looking for AUTHORIZE_sAMAccountName,

RewriteEngine On
RewriteRule .* - [E=THE_ACCOUNT_NAME:%{ENV:AUTHORIZE_sAMAccountName}] 
RequestHeader set MY_ACCOUNT_NAME %{THE_ACCOUNT_NAME}e

After that, the HEADER can be for example logged:

CustomLog /tmp/custom.log "%h %l %u %t "%r" %>s %b %{MY_ACCOUNT_NAME}i"

References:

On the backend side you can also use standard mod_auth_basic if you don’t want to mess with mod_rewrite. Assuming you pass the user in as X-Remote-User:

<Location />
  AuthBasicFake "%{HTTP:X-Remote-User}" "password"
</Location>

This only works in 2.4 but has the extra benefit of setting up the other aspects of true mod_auth (i.e. PHP’s auth support)

Example to populate header X-Remote-User with the content of REMOTE_USER variable after being authenticated and send that header to a backend proxy (apache 2.4.6).

# Example for Apache 2.4.6

<VirtualHost *:80>

RewriteEngine on
<Location />

    ###############################################
    # Your authentication logic here
    AuthType .......
    AuthName .......
    AuthBasicProvider .......
    .... etc
    Require valid-user
    ###############################################

    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X-Remote-User %{RU}e

</Location>

    ProxyTimeout 300
    ProxyPass / http://localhost:81/
    ProxyPassReverse / http://localhost:81/

</VirtualHost>

Tagged : / /

Leave a Reply

Your email address will not be published. Required fields are marked *