You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by li...@on-x.com on 2005/06/14 10:19:43 UTC
[users@httpd] apache as reverse-proxy : forwarding SSL environment variables
Hi,
We've successfully set up apache with mod_proxy + mod_rewrite in front
of our (yet another) apache serving our webapps.
We've an application that use some mod_ssl environment variables to work
properly (for example it use SSL_CLIENT_S_DN). The problem when
connecting through reverse proxy is those mod_ssl environment variables
are not available on the machine hosting the application.
Is there any solution to forwarding this var to the application machine ?
Thanks in advance.
Best regards,
-G.-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache as reverse-proxy : forwarding SSL
environment variables
Posted by "Bud P. Bruegger" <bu...@comune.grosseto.it>.
At 09.20 14/06/2005 -0400, you wrote:
>I've posted examples of how to do this to the list a few times over the
>past several months. If you have trouble finding them in one of the
>archives, let me know and I'll send the example conf statements directly
>to you.
>
>-Brian
Hi Brian et al.
here my digestion of what you proposed.. [comments welcome]
Thanks to help from the Apache users mailing list, here is a setup for
authenticating with a reverse proxy (i.e., OpenPortalGuard gate keeper).
Objective:
A reverse-proxy handles all the authentication for multilple application
servers behind the proxy. The application servers behave as if they had
handled the authentication themselves (with HTTP BASIC).
Requirements:
The described setup requires Apache 2.0 or higher on the remote proxy
(because only apache 2 adds the RequestHeader directive in
mod-headers). Currently, only Apache 1.3 has been tested as application
server--but higher versions of Apache should work too. It should be
independent on what application server is run (tested with cgi, but also
tomcat via mod-jk, php, quixote via mod-scgi, ecc. should work--this has to
be verified)
Authentication Methods:
Currently, the described setup has been tested with straight HTTP BASIC
Authentication. But I believe it should equally work for more useful
authentication methods including:
- HTTP BASIC over ssl with user DB on LDAP (mod-ssl with mod-ldap or
mod-auth-ldap)
- SSL with client-cert-auth and +fakeBasicAuth
ReverseProxy Setup:
the following directives are a simple test of a reverse proxy:
<Location /test1>
Allow from all
RewriteEngine on
#
AuthType Basic
AuthName "testRealm"
AuthUserFile /path/to/PwdFile
Require user bud ezio
#
# Set a HTTP request-header "OPG_USER" with the
# name of the authenticated user (REMOTE_USER)
#
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=OPG_USER:%1]
RequestHeader add OPG_USER "%{OPG_USER}e"
#
RewriteRule ^(.*) http://test1.myDomain.it/$1 [P,L]
</Location>
Application Server Setup:
The following directives make the Apache server behind the proxy set the
REMOTE_USER environment variable to the value set in the HTTP Header "OPG_USER"
RewriteEngine on
RewriteCond %{HTTP:OPG_USER} (.*)
RewriteRule .* - [E=REMOTE_USER:%1]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache as reverse-proxy : forwarding SSL environment
variables
Posted by li...@on-x.com.
Hi all.
Thanks for your support
Joshua Slive wrote:
>> You can set them in a cookie or in the query string. mod_rewrite can
>> do either of these.
>> Then, if necessary, mod_rewrite on the back-end machine could put them
>> back in the environment.
Brian Hughes '89 wrote:
> What I've been doing with my Apache reverse proxies is to use
> mod_rewrite and mod_header to take the SSL var(s) and set them as HTTP
> request headers for the reverse-proxy request. This has the advantage of
> being a little "cleaner" if you have calls into your application machine
> that either already uses cookies, or that makes use of query strings.
As the machines are currently running apache 1.3x at this time (no
upgrade planned at this time), I'll try forwarding the env via query
string as Joshua advised me.
The mod_headers method advised by Brian needs apache 2.x as mod_headers
can't set request headers on apache 1.3 (only response headers)
Best regards,
-G.-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache as reverse-proxy : forwarding SSL environment variables
Posted by Brian Hughes '89 <br...@Alum.Dartmouth.ORG>.
On Jun 14, 2005, at 08:53 AM, Joshua Slive wrote:
> On 6/14/05, lists@on-x.com <li...@on-x.com> wrote:
>> We've successfully set up apache with mod_proxy + mod_rewrite in front
>> of our (yet another) apache serving our webapps.
>>
>> We've an application that use some mod_ssl environment variables to
>> work
>> properly (for example it use SSL_CLIENT_S_DN). The problem when
>> connecting through reverse proxy is those mod_ssl environment
>> variables
>> are not available on the machine hosting the application.
>>
>> Is there any solution to forwarding this var to the application
>> machine ?
>
> You can set them in a cookie or in the query string. mod_rewrite can
> do either of these.
> Then, if necessary, mod_rewrite on the back-end machine could put them
> back in the environment.
What I've been doing with my Apache reverse proxies is to use
mod_rewrite and mod_header to take the SSL var(s) and set them as HTTP
request headers for the reverse-proxy request. This has the advantage
of being a little "cleaner" if you have calls into your application
machine that either already uses cookies, or that makes use of query
strings.
I've posted examples of how to do this to the list a few times over the
past several months. If you have trouble finding them in one of the
archives, let me know and I'll send the example conf statements
directly to you.
-Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache as reverse-proxy : forwarding SSL environment variables
Posted by Joshua Slive <js...@gmail.com>.
On 6/14/05, lists@on-x.com <li...@on-x.com> wrote:
> Hi,
>
> We've successfully set up apache with mod_proxy + mod_rewrite in front
> of our (yet another) apache serving our webapps.
>
> We've an application that use some mod_ssl environment variables to work
> properly (for example it use SSL_CLIENT_S_DN). The problem when
> connecting through reverse proxy is those mod_ssl environment variables
> are not available on the machine hosting the application.
>
> Is there any solution to forwarding this var to the application machine ?
You can set them in a cookie or in the query string. mod_rewrite can
do either of these.
Then, if necessary, mod_rewrite on the back-end machine could put them
back in the environment.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org