httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bud P. Bruegger" <>
Subject Re: [users@httpd] apache as reverse-proxy : forwarding SSL environment variables
Date Tue, 14 Jun 2005 13:34:01 GMT
At 09.20 14/06/2005 -0400, you wrote:
>I've posted examples of how to do this to the list a few times over the 
>past several months. If you have trouble finding them in one of the 
>archives, let me know and I'll send the example conf statements directly 
>to you.

Hi Brian et al.

here my digestion of what you proposed..  [comments welcome]

Thanks to help from the Apache users mailing list, here is a setup for 
authenticating with a reverse proxy (i.e., OpenPortalGuard gate keeper).

A reverse-proxy handles all the authentication for multilple application 
servers behind the proxy.  The application servers behave as if they had 
handled the authentication themselves (with HTTP BASIC).

The described setup requires Apache 2.0 or higher on the remote proxy 
(because only apache 2 adds the RequestHeader directive in 
mod-headers).  Currently, only Apache 1.3 has been tested as application 
server--but higher versions of Apache should work too.  It should be 
independent on what application server is run (tested with cgi, but also 
tomcat via mod-jk, php, quixote via mod-scgi, ecc. should work--this has to 
be verified)

Authentication Methods:
Currently, the described setup has been tested with straight HTTP BASIC 
Authentication.  But I believe it should equally work for more useful 
authentication methods including:
- HTTP BASIC over ssl with user DB on LDAP (mod-ssl with mod-ldap or 
- SSL with client-cert-auth and +fakeBasicAuth

ReverseProxy Setup:
the following directives are a simple test of a reverse proxy:

<Location /test1>
Allow from all
RewriteEngine on
AuthType Basic
AuthName "testRealm"
AuthUserFile /path/to/PwdFile
Require user bud ezio
# Set a HTTP request-header "OPG_USER" with the
# name of the authenticated user (REMOTE_USER)
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=OPG_USER:%1]
RequestHeader add OPG_USER "%{OPG_USER}e"
RewriteRule ^(.*)$1 [P,L]

Application Server Setup:
The following directives make the Apache server behind the proxy set the 
REMOTE_USER environment variable to the value set in the HTTP Header "OPG_USER"

RewriteEngine on
RewriteCond %{HTTP:OPG_USER} (.*)
RewriteRule .* - [E=REMOTE_USER:%1]

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message