httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Hughes '89" <bria...@Alum.Dartmouth.ORG>
Subject Re: [users@httpd] authenticating reverse proxy
Date Fri, 08 Apr 2005 18:40:37 GMT
On Apr 8, 2005, at 12:26 PM, Bud P. Bruegger wrote:
> Actually I did use ProxyPass:
>
> <Location /bud>
> Allow from all
> ProxyPass http://www.gol.grosseto.it/cgi-bin/test-env
> ProxyPassReverse http://www.gol.grosseto.it/cgi-bin/test-env
> AuthType Basic
> AuthName "budRealm"
> AuthUserFile /var/www/budPwd
> Require user bud ezio
> RequestHeader add Remote_User "%{REMOTE_USER}e"
> </Location>

Hmm... the top-down ordering of your directives seems off. Were I doing 
this I would definitely put the ProxyPass and ProxyPassReverse 
statements at the very bottom of the <Location> block. That won't 
necessarily ensure that your RequestHeader line will be added, but you 
have a much better chance of it being picked up if you put that 
statement before/above your proxy statements.

> thanks for the conf snipplet.  I did some tests and it just works.

Glad to hear it.

> Why is there such a difference between mod-rewrite and mod-proxy?  I 
> thought that mod-rewrite was using mod-proxy to do its work..

I don't have an answer for that, really. But about the only thing I'm 
sure of is mod_rewrite is using the parts of mod_proxy that set up the 
X-Forwarded headers. Beyond that, I'm not sure.

> Also, why is the env variable REMOTE_USER not directly available to 
> mod-headers?

I'd be very surprised if it wasn't. I think this is related to the 
order in which you are defining your directives.

> So now (thanks to your help!) I manage to propagate the user info.  
> Any suggestions how to fake basic authentication on the application 
> server?  Can I simply use RequestHeader add REMOTE_USER for this?

That would depend on the application server... but I'm not sure if you 
can fake the encoding of the WWW-Authenticate header. Maybe for Basic 
(not sure how;), but I don't see any way to fake a Digest authenticate 
header, if you plan to make use of the more secure method...

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message