You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Will Rogers <wj...@gmail.com> on 2006/10/03 00:09:41 UTC

[users@httpd] reverse proxy using mod_proxy and REMOTE_USER

I am trying to convert an existing Apache + FastCGI configuration to
use Apache's mod_proxy and the ProxyPass directive as a reverse proxy
for Mongrel (a little Ruby HTTP application server). I am also using
mod_auth_sspi for authentication. This is in a Windows corporate
environment, running Apache 2.2.3 on Windows Server 2003.

The new proxy configuration works fine, but I need a way to get the
value of the REMOTE_USER variable to my application (previously it was
sent via CGI). Most of the resources and old posts I've found online
suggest using RequestHeader to insert a header with the value of
REMOTE_USER. When I try this, however, I get "(null)" as the value of
REMOTE_USER.

Apache's access.log contains the correct username, so I know
mod_auth_sspi is working. Also, if I remove the ProxyPass directive
and let Apache run the app with CGI directly, the CGI environment's
REMOTE_USER contains the correct value. As soon as I introduce
mod_proxy to the mix, I can't get a useful value out of REMOTE_USER no
matter what I try.

My research so far has led me to suspect that some sort of internal
redirect is happening that causes the REMOTE_USER value to not be set
when the proxied request is sent to Mongrel. What exactly happens
internally when ProxyPass is triggered? How can I send the correct
value of REMOTE_USER to my application?

I have tried innumerable permutations of this Apache config; here's
the way it currently sits (with some names changed to protect the
guilty).

<VirtualHost *>
       ServerName apache.host
       DocumentRoot D:/work/Gregor-test/public

       # value of BLAH header when it gets to Mongrel is "(null)"
       RequestHeader set BLAH %{REMOTE_USER}e

       # don't proxy static content
       ProxyPass /favicon.ico !
       ProxyPass /iepngfix !
       ProxyPass /images !
       ProxyPass /javascripts !
       ProxyPass /jscalendar !
       ProxyPass /stylesheets !

       # proxy requests through mongrel
       ProxyPass / http://mongrel.host:8001/
       ProxyPassReverse / http://mongrel.host:8001/
       ProxyPreserveHost on

       # allow access to the public directory
       <Directory "D:/work/Gregor-test/public">
               Options Indexes FollowSymLinks ExecCGI
               AllowOverride All

               Order allow,deny
               Allow from all
       </Directory>

       # authorization applies to anything going through the proxy server
       # (i.e. don't authenticate the static content explicitly excluded above)
       <Proxy *>
               AuthName "MAD Gregor"
               AuthType SSPI
               SSPIAuth On
               SSPIAuthoritative On
               SSPIDomain "MYDOMAIN"
               SSPIOfferBasic Off
               SSPIOmitDomain On

               require valid-user
       </Proxy>
</VirtualHost>

Thanks,

 - Will

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org