httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject [users@httpd] Re: Passing REMOTE_USER from reverse proxy to app server
Date Tue, 07 Jul 2009 14:26:34 GMT
On Tue, 2009-07-07 at 14:42 +0100, Tom Evans wrote:
> Hi all
> 
> httpd 2.2.11, prefork MPM, FreeBSD 7.2
> 
> I'm trying to pass the REMOTE_USER variable, as determined by the
> reverse proxy, to a backend application server. The main reason to do
> this is to offload authnz to the proxy, and to keep all this centralised
> in one place. The authn module that will actually be providing the
> REMOTE_USER is a custom SAML single sign on auth module (hence the wish
> for centralising it), but for my testing, I am just using basic auth.
> 
> When I STFW, I found this blog post[1] describing how to achieve this,
> but implementing it did not seem to work. Here is the sample vhost I am
> attempting to use it with:
> 
> <VirtualHost *:80>
>   ServerName strangepork
>   DocumentRoot /usr/local/www/htdocs
> 
>   <Directory /usr/local/www/htdocs>
>     Order allow,deny
>     Allow from all
>   </Directory> 
>     
>   <Location />
>     AuthType Basic
>     AuthName "Restricted"
>     AuthUserFile /usr/local/etc/apache22/passwords
>     Require valid-user
>   </Location>
> 
>   RewriteEngine on
>   RewriteLog /var/log/httpd-rewrite.log
>   RewriteLogLevel 5
> 
>   RewriteCond %{LA-U:REMOTE_USER} (.*)
>   RewriteRule .* - [E=X_REMOTE_USER:%1]
> 
>   RequestHeader set X-UserID %{X_REMOTE_USER}e
>   ProxyPass / http://strangepork:1080/
> </VirtualHost>
> 
> 
> Here is the pertinent part of the rewrite log (I've trimmed a lot of the
> fields, but they aren't interesting I don't think):
> 
> [rid#8264058/initial] (2) init rewrite engine with requested uri /
> [rid#8264058/initial] (3) applying pattern '.*' to uri '/'
> [rid#8268058/subreq] (2) init rewrite engine with requested uri /
> [rid#8268058/subreq] (3) applying pattern '.*' to uri '/'
> [rid#8268058/subreq] (4) RewriteCond: input='' pattern='(.*)' => matched
> [rid#8268058/subreq] (5) setting env variable 'X_REMOTE_USER' to ''
> [rid#8268058/subreq] (1) pass through /
> [rid#8264058/initial] (5) lookahead: path=/ var=REMOTE_USER -> val=
> [rid#8264058/initial] (4) RewriteCond: input='' pattern='(.*)' => matched
> [rid#8264058/initial] (5) setting env variable 'X_REMOTE_USER' to ''
> [rid#8264058/initial] (1) pass through /
> 
> The user is definitely authenticated, as the access log shows:
> 
> 10.0.11.202 - tom [07/Jul/2009:14:13:38 +0100] "GET / HTTP/1.1" 200 3
> "-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.9.0.10)
> Gecko/2009050702 Firefox/3.0.10"
> 
> Any thoughts? 
> 
> Cheers
> 
> Tom
> 
> [1] http://agilewebdevelopment.com/plugins/authenticate_as_remote_user

I still think this should work (especially as REMOTE_USER is the
canonical example of LA-U in RewriteCond), but I have made it work by
moving the RewriteRules to the <Location /> block.

Eg:

<VirtualHost *:80>
  ServerName strangepork
  DocumentRoot /usr/local/www/htdocs

  <Directory /usr/local/www/htdocs>
    Order allow,deny
    Allow from all
  </Directory>

  <Location />
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /usr/local/etc/apache22/passwords
    Require valid-user

    RewriteEngine on
    RewriteCond %{REMOTE_USER} (.*)
    RewriteRule .* - [E=X_REMOTE_USER:%1]
    ProxyPass http://strangepork:1080/
  </Location>

  RequestHeader set X-UserID %{X_REMOTE_USER}e
</VirtualHost>

Clearly this works because <Location> rewrites are per-dir and happen at
the fixup phase. I'm wondering if there is any downside to this
approach? Is it vastly more expensive to rewrite at the fixup phase? 
I'm trying to understand why I would want to use a subrequest over this
approach.


Cheers

Tom


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message