You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Bud P. Bruegger" <bu...@comune.grosseto.it> on 2005/06/14 15:34:01 UTC
Re: [users@httpd] apache as reverse-proxy : forwarding SSL
environment variables
At 09.20 14/06/2005 -0400, you wrote:
>I've posted examples of how to do this to the list a few times over the
>past several months. If you have trouble finding them in one of the
>archives, let me know and I'll send the example conf statements directly
>to you.
>
>-Brian
Hi Brian et al.
here my digestion of what you proposed.. [comments welcome]
Thanks to help from the Apache users mailing list, here is a setup for
authenticating with a reverse proxy (i.e., OpenPortalGuard gate keeper).
Objective:
A reverse-proxy handles all the authentication for multilple application
servers behind the proxy. The application servers behave as if they had
handled the authentication themselves (with HTTP BASIC).
Requirements:
The described setup requires Apache 2.0 or higher on the remote proxy
(because only apache 2 adds the RequestHeader directive in
mod-headers). Currently, only Apache 1.3 has been tested as application
server--but higher versions of Apache should work too. It should be
independent on what application server is run (tested with cgi, but also
tomcat via mod-jk, php, quixote via mod-scgi, ecc. should work--this has to
be verified)
Authentication Methods:
Currently, the described setup has been tested with straight HTTP BASIC
Authentication. But I believe it should equally work for more useful
authentication methods including:
- HTTP BASIC over ssl with user DB on LDAP (mod-ssl with mod-ldap or
mod-auth-ldap)
- SSL with client-cert-auth and +fakeBasicAuth
ReverseProxy Setup:
the following directives are a simple test of a reverse proxy:
<Location /test1>
Allow from all
RewriteEngine on
#
AuthType Basic
AuthName "testRealm"
AuthUserFile /path/to/PwdFile
Require user bud ezio
#
# Set a HTTP request-header "OPG_USER" with the
# name of the authenticated user (REMOTE_USER)
#
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=OPG_USER:%1]
RequestHeader add OPG_USER "%{OPG_USER}e"
#
RewriteRule ^(.*) http://test1.myDomain.it/$1 [P,L]
</Location>
Application Server Setup:
The following directives make the Apache server behind the proxy set the
REMOTE_USER environment variable to the value set in the HTTP Header "OPG_USER"
RewriteEngine on
RewriteCond %{HTTP:OPG_USER} (.*)
RewriteRule .* - [E=REMOTE_USER:%1]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org