You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Kevin Behr <be...@gmail.com> on 2014/01/23 00:16:12 UTC
[users@httpd] Passing Authentication or REMOTE_USER from One Apache Server to Another
Hi there,
I have two separate web applications, each on a different Apache (2.2)
server. A user first authenticates on *Server A* (either by Basic HTTP or
LDAP) and gains access to the web application. At some point, the user has
the option to launch the second web application on *Server B*.
The second web application requires REMOTE_USER to be set; it will not
start without it. Therefore, I need the REMOTE_USER from *Server A* to be
passed to *Server B*.
I have explored two avenues:
1. Set-up a proxy using mod_proxy_http and leverage the proxy-chain-auth
environment variable.
2. Passing REMOTE_USER via mod_rewrite and RewriteCond.
Am I headed down the right track? What is the typical way of handling this
situation?
I have tried the following httpd.conf configuration on *Server A*, but it
fails to retrieve any REMOTE_USER (which I am accessing via PHP):
ProxyPass /test http://ServerB/
ProxyPassReverse /test http://ServerB/
SetEnv Proxy-Chain-Auth On
I would appreciate any help!
Re: [users@httpd] Passing Authentication or REMOTE_USER from One
Apache Server to Another
Posted by Tom Evans <te...@googlemail.com>.
On Wed, Jan 22, 2014 at 11:16 PM, Kevin Behr <be...@gmail.com> wrote:
> Hi there,
>
> I have two separate web applications, each on a different Apache (2.2)
> server. A user first authenticates on Server A (either by Basic HTTP or
> LDAP) and gains access to the web application. At some point, the user has
> the option to launch the second web application on Server B.
>
> The second web application requires REMOTE_USER to be set; it will not start
> without it. Therefore, I need the REMOTE_USER from Server A to be passed to
> Server B.
>
> I have explored two avenues:
>
> Set-up a proxy using mod_proxy_http and leverage the proxy-chain-auth
> environment variable.
>
> Passing REMOTE_USER via mod_rewrite and RewriteCond.
>
> Am I headed down the right track? What is the typical way of handling this
> situation?
>
> I have tried the following httpd.conf configuration on Server A, but it
> fails to retrieve any REMOTE_USER (which I am accessing via PHP):
>
> ProxyPass /test http://ServerB/
> ProxyPassReverse /test http://ServerB/
> SetEnv Proxy-Chain-Auth On
>
> I would appreciate any help!
I went down this rabbit hole a couple of months ago - I have at the
edge of my network an apache 2.4 server, which acts as an SSL proxy to
internal servers, mainly apache 2.2. All SSL clients are authenticated
on the front end proxy using client certificates, but I needed a way
to pass that information back to the other servers so that they can do
authorization.
I looked at the mod_rewrite route, mod_rewrite has no way to set r->user.
I looked at porxy-chain-auth, this didn't seem to do what I needed either.
In the end I wrote a trivial 80 line apache module for the backend
servers that extracts a specified header and sets r->user (attached).
This is obviously as insecure as it sounds! I get away with it since
all requests go through the front end proxy, which makes sure to scrub
the header from any incoming requests.
Cheers
Tom
PS: installing your own module is pretty trivial, simply grab the file and run
apxs -i -a -c mod_trusted_auth_header.c
on your server B, and then add to server B's httpd.conf
TrustedAuthHeaderName "X-User"
Obviously, you also need to set that header on the front end proxy, I use this:
RequestHeader unset "X-User"
RequestHeader set "X-User" %{SSL_CLIENT_S_DN_Email}s