You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Micha <ap...@wennysoft.de> on 2022/02/21 14:09:01 UTC
[users@httpd] Howto add additional header to CONNECT of ProxyRemote?
Hello,
we have some badly designed external software which we have to get working.
This software provides a proxy which extracts a userid out of a header
field in the CONNECT and uses it for creating a SAML Token for further
requests. This legacy-proxy is running locally on a server.
At client side we have NTLM and Kerberos authentication and I now have
the opportunity to connect these two worlds:
Do a proxy authentication and set the userid as header in CONNECT to the
legacy-proxy.
Calling is: browser --> apache-FW-Proxy --> legacy-Proxy --> external
service
So I set up a Forward Proxy using Apache 2.4.6, mod_auth_ntlm,
mod_auth_kerberos, mod_ssl etc.
I achieved to do the authentication stuff in apache and forward the
request to the external proxy.
The one thing I am missing is how to set the userid as additional header
in the CONNECT-Response to the external proxy.
It seems that the RequestHeader-directive is not applied to the CONNECT
but only to reverse proxy requests.
What can I do to add an additional header in the CONNECT done by the
ProxyRemote-directive.
Regards Michael
Here is the actual config:
LoadModule ssl_module modules/mod_ssl.so
Listen 0.0.0.0:8899
<VirtualHost *:8899>
ProxyPreserveHost On
ServerAdmin XXXXXXX
ServerName XXXXXX
ErrorLog /var/log/httpd/ssl-error.log
CustomLog /var/log/httpd/ssl-access.log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
SSLEngine off
TransferLog logs/ssl_transfer_log
SSLCertificateFile /etc/httpd/ssl/server.cert
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Options +FollowSymLinks
<Proxy>
AuthType NTLM,Kerberos
# NTLM authentication
AuthName "NTLM Authentication thingy"
NTLMAuth on
NegotiateAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NegotiateAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=gss-spnego"
NTLMBasicAuthoritative on
AuthType Negotiate
# Kerberos authentication
AuthName "Kerberos"
Krb5Keytab /etc/httpd/ssl/server.keytab
KrbAuthRealms XXXXXXX
KrbServiceName HTTP
require valid-user
ProxyAddHeaders On
# handle user and set to header
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=REMOTE_USER:%1,NS]
# set the header vu-nutzeralias to the authenticated userid
without domain
RequestHeader set vu-nutzeralias %{REMOTE_USER}e
# remove kerberos domain
RequestHeader edit vu-nutzeralias @XXXX ""
# remove NTLM domain
RequestHeader edit vu-nutzeralias "XXXX\x{005C}\x{005C}" ""
# non authenticated
RewriteCond %{REMOTE_USER} ^$
RewriteRule . - [R=407]
</Proxy>
# forward to external proxy
ProxyRequests On
ProxyVia On
SSLProxyEngine On
ProxyRemote "*" https://127.0.0.1:8888
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Howto add additional header to CONNECT of ProxyRemote?
Posted by Eric Covener <co...@gmail.com>.
> What can I do to add an additional header in the CONNECT done by the
> ProxyRemote-directive.
It doesn't appear possible. The data sent during the CONNECT for
ProxyRemote is not configurable and not based on anything
configurations.
I think you'd need to customize modules/proxy/mod_proxy_connect.c
where e.g. Proxy-agent is added.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org