httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Hughes '89" <bria...@Alum.Dartmouth.ORG>
Subject Re: [users@httpd] authenticating reverse proxy
Date Fri, 08 Apr 2005 15:44:28 GMT
On Apr 8, 2005, at 11:14 AM, Bud P. Bruegger wrote:
> I am seeking advice on how to configure an Apache 2 reverse proxy that 
> handles authentication for a numer of http servers behind it.  So far, 
> I managed to set up a reverse proxy that handles authentication 
> (currently http basic for testing, later X.509 and combinations).
>
> What I have problems with is how to propagate authentication 
> information (REMOTE_USER, AUTH_TYPE, and possibly some SSL specific 
> data) to the httpd that is "protected" by the reverse proxy.  Ideally, 
> I would like a setup in which the http/application server behind the 
> proxy behaves as if it had performed HTTP Basic Authentication itself. 
>  This way, any kind of dynamic application (cgi, php, tomcat, zope, 
> twisted, etc.) would be able to use its standard authentication APIs.  
> Ideally, I would like to find an approach that works with various 
> kinds of http daemons or at least one that requires only simple 
> interventions on the httpds (i.e., better configuration than a custom 
> module that has to be written for any type of httpd).
>
> I have made initial experiments using RequestHeader (from mod-headers) 
> to propagate the info.  But I currently don't manage to access the 
> REMOTE_USER environment variable on the proxy (RequestHeader add 
> PropagatedRemoteUser "%{REMOTE_USER}e" fails to propagate any value).  
> Also, I don't know whether it is possible to use mod-headers  on the 
> "protected" httpd (assuming it is Apache) to copy this propagated 
> value to REMOTE_USER.  But probably there are better approaches in the 
> first place.

Actually, I'd say that you've hit upon the "right way" to pass the 
authenticated information back to the application, through the proxy. 
However, you don't show us how you are actually doing the proxy 
hand-off. This can make a big difference as to what does and doesn't 
get passed.

Here's a snippet from the ssl.conf file on one of my web app servers. 
I'm using Apache to proxy/terminate the SSL, do client cert 
authentication and pass the authentication info back to application via 
reverse-proxy. The key thing here is using Rewrite engine for the 
proxy, not ProxyPass...

-----------------------

<Location /foo>
     RewriteEngine on

     # Get the SSL client cert data, if present,  and store in a 
temporary
     # environment variable after we select it a RewriteCond backref.
     # Then that env var an HTTP  header for the proxy request
     RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
     RewriteRule .* - [E=SSLC_ON:%1]
     RequestHeader add X-SSL-Client-On %{SSLC_ON}e

     # Do the same with the SSL client's authenticated name
     RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
     RewriteRule .* - [E=SSLC_NAME:%1]
     RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e

     # Special conditional for when the incoming request has a query 
string.
     # Store the query string in a RewriteCond back-reference, so we can 
add
     # it into the proxy HTTP request
     RewriteCond %{QUERY_STRING} (.+)
     RewriteRule (foo.*) http://127.0.0.1:8080/$1?%1 [P,L]

     # Standard proxy request, for when there's no query string in the 
URL
     RewriteRule (foo.*) http://127.0.0.1:8080/$1 [P,L]
</Location>

-----------------------

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message