[users@httpd] Using mod_rewrite to change the REMOTE_USER header in Apache 2.4

[Nick Jones <ni...@nicholasjones.com>]

Hi-

I've recently migrated from Apache 2.2 to Apache 2.4, and I'm experiencing
an issue with mod_rewrite and the REMOTE_USER header.

We use Kerberos to authenticate our users, and we have two Kerberos
domains, one for internal connections and one for external connections. All
users have an account in both domains, and they'll get authenticated using
one of the two servers depending upon where they are connecting from. When
a user logs in, Apache will set the REMOTE_USER header to either

user@internal.company.com

or

user@external.company.com

depending upon which domain they authenticated against. However, our web
applications don't want to receive the fully qualified Kerberos usernames,
they just want to receive the "user" portion.

In Apache 2.2, we used mod_rewrite to strip everything after the @ sign and
set a new REMOTE_USER header. However, Apache 2.4 seems to forbid setting
any headers which contain an underscore.

See:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

"Translation of headers to environment variables is more strict than before
to mitigate some possible cross-site-scripting attacks via header
injection. Headers containing invalid characters (including underscores)
are now silently dropped. Environment Variables in Apache has some pointers
on how to work around broken legacy clients which require such headers.
(This affects all modules which use these environment variables.)"

 Is there any way to work around this?

This is the code that works fine in Apache 2.2:

RewriteEngine On
RewriteCond %{REMOTE_USER} ([a-z]+)@.*
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e

If I use the above code in Apache 2.4, the header doesn't get set, and I
get errors in the logs like:

[core:trace1] [pid 11676] util_script.c(78): [client XXXXXXXX:50291] Not
exporting header with invalid name as envvar: _USER

Any suggestions?

Thanks!