httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Passing proxy authentication user name
Date Mon, 14 Jan 2013 23:08:26 GMT
On Mon, Jan 14, 2013 at 10:01 AM, Igor Cicimov <icicimov@gmail.com> wrote:

>
>
>
> On Mon, Jan 14, 2013 at 9:47 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>
>> On Mon, Jan 14, 2013 at 8:10 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>>
>>>
>>> On 14/01/2013 1:48 AM, "Terry Cooper" <terry.cooper@sympatico.ca> wrote:
>>> >
>>> > I am currently attempting to migrate an existing system which is built
>>> on the Sun web proxy server and the Sun web server to the Apache web
>>> server. The proxy portion will remain on Sun until proxy appliances are
>>> obtained and installed, so all I’m dealing with now is the move to Apache
>>> HTTPD.
>>> >
>>> >
>>> >
>>> > The current system has user access control that is completely based on
>>> the proxy server and acls therein. This means that users log into the
>>> proxy, but there is no login requirement on the web servers. There are a
>>> number of cgi scripts which need to get the user name to operate correctly.
>>> Currently the environment variable HTTP_PROXY_AUTHORIZATION is used to
>>> obtain this information, however from what I can find this is not passed by
>>> Apache to the scripts. I understand the security issue with this as it
>>> contains the password as well, which I don’t need. Is there a way to get at
>>> least the user name that is passed by the proxy server.
>>> >
>>> >
>>> >
>>> > I’m sure I’m missing something simple here, but I just can’t seem
to
>>> find it.
>>> >
>>> >
>>> >
>>> > Thanks,
>>> >
>>> >
>>> >
>>> > Terry
>>>
>>> Set a header maybe?
>>>
>>> RequestHeader append Proxy-Authorization
>>>
>> I mean there is already Authorization request header set why not using it?
>>
>>
> I remember mod_rewrite has lookahead option that look slike this:
>
> <snip>
>
> %{LA-U:variable} can be used for look-aheads which perform an internal
> (URL-based) sub-request to determine the final value of *variable*. This
> can be used to access variable for rewriting which is not available at the
> current stage, but will be set in a later phase.
>
> For instance, to rewrite according to the REMOTE_USER variable from
> within the per-server context (httpd.conf file) you must use
> %{LA-U:REMOTE_USER} - this variable is set by the authorization phases,
> which come *after* the URL translation phase (during which mod_rewrite
> operates).
>
> </snip>
> So would say you can use this in a rewrite rule to pass on the REMOTE_USER
> in the query string for example by using the QSA flag and proxying to the
> backend in the same time:
>
> RewriteCond %{LA-U:REMOTE_USER} (.*)
> RewriteRule ^/something.html     something.jsp?userid=%{LA-U:REMOTE_USER}
> [QSA,P,L]
>
> Just an idea and completely untested. Hope someone will correct me in case
> I'm talking gibberish here ....
>
> Ooops missed the fact that the Proxy is Sun proxy and not apache one so
all my comments about setting a header or query string are pretty useless.
Sorry for the confusion.

Mime
View raw message