httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bud P. Bruegger" <...@comune.grosseto.it>
Subject Re: [users@httpd] apache as reverse-proxy : forwarding SSL environment variables
Date Tue, 14 Jun 2005 13:34:01 GMT
At 09.20 14/06/2005 -0400, you wrote:
>I've posted examples of how to do this to the list a few times over the 
>past several months. If you have trouble finding them in one of the 
>archives, let me know and I'll send the example conf statements directly 
>to you.
>
>-Brian

Hi Brian et al.

here my digestion of what you proposed..  [comments welcome]

Thanks to help from the Apache users mailing list, here is a setup for 
authenticating with a reverse proxy (i.e., OpenPortalGuard gate keeper).

Objective:
A reverse-proxy handles all the authentication for multilple application 
servers behind the proxy.  The application servers behave as if they had 
handled the authentication themselves (with HTTP BASIC).

Requirements:
The described setup requires Apache 2.0 or higher on the remote proxy 
(because only apache 2 adds the RequestHeader directive in 
mod-headers).  Currently, only Apache 1.3 has been tested as application 
server--but higher versions of Apache should work too.  It should be 
independent on what application server is run (tested with cgi, but also 
tomcat via mod-jk, php, quixote via mod-scgi, ecc. should work--this has to 
be verified)

Authentication Methods:
Currently, the described setup has been tested with straight HTTP BASIC 
Authentication.  But I believe it should equally work for more useful 
authentication methods including:
- HTTP BASIC over ssl with user DB on LDAP (mod-ssl with mod-ldap or 
mod-auth-ldap)
- SSL with client-cert-auth and +fakeBasicAuth


ReverseProxy Setup:
the following directives are a simple test of a reverse proxy:

<Location /test1>
Allow from all
RewriteEngine on
#
AuthType Basic
AuthName "testRealm"
AuthUserFile /path/to/PwdFile
Require user bud ezio
#
# Set a HTTP request-header "OPG_USER" with the
# name of the authenticated user (REMOTE_USER)
#
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=OPG_USER:%1]
RequestHeader add OPG_USER "%{OPG_USER}e"
#
RewriteRule ^(.*) http://test1.myDomain.it/$1 [P,L]
</Location>

Application Server Setup:
The following directives make the Apache server behind the proxy set the 
REMOTE_USER environment variable to the value set in the HTTP Header "OPG_USER"

RewriteEngine on
RewriteCond %{HTTP:OPG_USER} (.*)
RewriteRule .* - [E=REMOTE_USER:%1]



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message