httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] accessing REMOTE_USER through an Apache proxy
Date Wed, 28 Oct 2009 15:15:02 GMT
Devin Bougie wrote:
...

Hi.

I'll give you my interpretation, after looking at the log, not really at 
the configuration.

I think the confusion may be about when and where, things happen 
exactly. And it is not really helped by your choice to proxy from your 
server to itself..

If you examine the log below, you will see different/distinct requests, 
identified by their respective "rid" number.

The first is the request rid#8aa28f8 that comes in originally, on your 
"first" server (before the proxying occurs).
That one does the proxying before your <Location /test> is even invoked 
(in my opinion).  So at that point, the authentication has not even 
happened, and REMOTE_USER is undefined or empty.
That request, you then proxy to your "second" server.

Now the proxied request comes in to your "second" server. That is 
request rid#8aa8908.  That one starts without a REMOTE_USER (see above), 
but then goes through the <Location> section, where it acquires an id.
But by then it is too late for proxying..

It would all probably be clearer if you set this up in two distinct 
VirtualHosts, and proxied from the first to the second.

Another thing, is that Apache "environment variables", are kind of 
"virtual", in the sense that they exist inside of Apache, for the 
duration of one request.
When you proxy something to another server, this is a new request, and 
this other server does not magically inherit the environment of your 
first request in the first server.
To pass it on, you would have to set it in a header which you pass to 
the second server.  But then, you must have a value to pass, by the time 
you create the header.
Which does not seem to be the case here.

Hope that is clear.
As for me, I think I need a cup of coffee now.


> 
> ------
> ######
> # GlassFish proxy
> ProxyPreserveHost       on
> 
> RewriteEngine           on
> RewriteLog /var/log/httpd/rewrite.log
> RewriteLogLevel 9
> 
> RequestHeader Set Proxy-keysize 512
> RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
> RequestHeader Set Host ourserver.com:443
> RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e
> 
> RewriteRule ^/test$ /test/ [R,L]
> RewriteRule ^/test/(.*) http://localhost/cgi-bin/test/$1 
> [P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
> <Location "/test">
>        order deny,allow
>        deny from all
>        AuthType KerberosV5
>        AuthName "kerberos authentication"
>        Satisfy any
>        require valid-user
> </Location>
> ------
> 
> And here is what I see in rewrite.log.  REMOTE_USER is eventually set 
> properly, just not soon enough for the script.
> ------
> ... [rid#8aa28f8/initial] (2) init rewrite engine with requested uri 
> /test/remote.cgi
> ... [rid#8aa28f8/initial] (3) applying pattern '^/test$' to uri 
> '/test/remote.cgi'
> ... [rid#8aa28f8/initial] (3) applying pattern '^/test/(.*)' to uri 
> '/test/remote.cgi'
> ... [rid#8aa28f8/initial] (2) rewrite /test/remote.cgi -> 
> http://localhost/cgi-bin/test/remote.cgi
> ... [rid#8aa4900/subreq] (2) init rewrite engine with requested uri 
> /test/remote.cgi
> ... [rid#8aa4900/subreq] (1) pass through /test/remote.cgi
> ... [rid#8aa28f8/initial] (5) lookahead: path=/test/remote.cgi 
> var=REMOTE_USER -> val=
> ... [rid#8aa28f8/initial] (5) setting env variable 'REMOTE_USER' to ''
> ... [rid#8aa28f8/initial] (2) forcing proxy-throughput with 
> http://localhost/cgi-bin/test/remote.cgi
> ... [rid#8aa28f8/initial] (1) go-ahead with proxy request 
> proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
> ... [rid#8aa8908/initial] (2) init rewrite engine with requested uri 
> /test/remote.cgi
> ... [rid#8aa8908/initial] (3) applying pattern '^/test$' to uri 
> '/test/remote.cgi'
> ... [rid#8aa8908/initial] (3) applying pattern '^/test/(.*)' to uri 
> '/test/remote.cgi'
> ... [rid#8aa8908/initial] (2) rewrite /test/remote.cgi -> 
> http://localhost/cgi-bin/test/remote.cgi
> ... [rid#8abcf90/subreq] (2) init rewrite engine with requested uri 
> /test/remote.cgi
> ... [rid#8abcf90/subreq] (1) pass through /test/remote.cgi
> ... [rid#8aa8908/initial] (5) lookahead: path=/test/remote.cgi 
> var=REMOTE_USER -> val=dab66
> ... [rid#8aa8908/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
> ... [rid#8aa8908/initial] (2) forcing proxy-throughput with 
> http://localhost/cgi-bin/test/remote.cgi
> ... [rid#8aa8908/initial] (1) go-ahead with proxy request 
> proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
> ------
> 
> Any suggestions would be greatly appreciated.  Please let me know if 
> there is any more information I can provide.
> 
> Many thanks,
> Devin


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message