FAQ
I am seeking advice on how to configure an Apache 2 reverse proxy that
handles authentication for a numer of http servers behind it. So far, I
managed to set up a reverse proxy that handles authentication (currently
http basic for testing, later X.509 and combinations).

What I have problems with is how to propagate authentication information
(REMOTE_USER, AUTH_TYPE, and possibly some SSL specific data) to the httpd
that is "protected" by the reverse proxy. Ideally, I would like a setup in
which the http/application server behind the proxy behaves as if it had
performed HTTP Basic Authentication itself. This way, any kind of dynamic
application (cgi, php, tomcat, zope, twisted, etc.) would be able to use
its standard authentication APIs. Ideally, I would like to find an
approach that works with various kinds of http daemons or at least one that
requires only simple interventions on the httpds (i.e., better
configuration than a custom module that has to be written for any type of
httpd).

I have made initial experiments using RequestHeader (from mod-headers) to
propagate the info. But I currently don't manage to access the REMOTE_USER
environment variable on the proxy (RequestHeader add PropagatedRemoteUser
"%{REMOTE_USER}e" fails to propagate any value). Also, I don't know
whether it is possible to use mod-headers on the "protected" httpd
(assuming it is Apache) to copy this propagated value to REMOTE_USER. But
probably there are better approaches in the first place.

many thanks in advance for any input and guidance

kind regards

-bud




-------------------------------------------------------------------------------------------------
Ing. Bud P. Bruegger, Ph.D. +39-0564-488577
(voice), -21139 (fax)
Servizio Elaborazione Dati e-mail: bud@comune.grosseto.it
Comune di
Grosseto http://www.comune.grosseto.it/cie/
Via Ginori,
43 http://OpenPortalGuard.sf.net
58100 Grosseto (Tuscany, Italy) jabber: bud@amessage.info

Free Software in Public Administration: not just a good idea, but a necessity

Perfection is attained, not when there is nothing more to be added, but
when there is nothing more to be taken away -- Antoine de Saint-Exupery


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Brian Hughes '89 at Apr 8, 2005 at 3:44 pm

    On Apr 8, 2005, at 11:14 AM, Bud P. Bruegger wrote:
    I am seeking advice on how to configure an Apache 2 reverse proxy that
    handles authentication for a numer of http servers behind it. So far,
    I managed to set up a reverse proxy that handles authentication
    (currently http basic for testing, later X.509 and combinations).

    What I have problems with is how to propagate authentication
    information (REMOTE_USER, AUTH_TYPE, and possibly some SSL specific
    data) to the httpd that is "protected" by the reverse proxy. Ideally,
    I would like a setup in which the http/application server behind the
    proxy behaves as if it had performed HTTP Basic Authentication itself.
    This way, any kind of dynamic application (cgi, php, tomcat, zope,
    twisted, etc.) would be able to use its standard authentication APIs.
    Ideally, I would like to find an approach that works with various
    kinds of http daemons or at least one that requires only simple
    interventions on the httpds (i.e., better configuration than a custom
    module that has to be written for any type of httpd).

    I have made initial experiments using RequestHeader (from mod-headers)
    to propagate the info. But I currently don't manage to access the
    REMOTE_USER environment variable on the proxy (RequestHeader add
    PropagatedRemoteUser "%{REMOTE_USER}e" fails to propagate any value).
    Also, I don't know whether it is possible to use mod-headers on the
    "protected" httpd (assuming it is Apache) to copy this propagated
    value to REMOTE_USER. But probably there are better approaches in the
    first place.
    Actually, I'd say that you've hit upon the "right way" to pass the
    authenticated information back to the application, through the proxy.
    However, you don't show us how you are actually doing the proxy
    hand-off. This can make a big difference as to what does and doesn't
    get passed.

    Here's a snippet from the ssl.conf file on one of my web app servers.
    I'm using Apache to proxy/terminate the SSL, do client cert
    authentication and pass the authentication info back to application via
    reverse-proxy. The key thing here is using Rewrite engine for the
    proxy, not ProxyPass...

    -----------------------

    <Location /foo>
    RewriteEngine on

    # Get the SSL client cert data, if present, and store in a
    temporary
    # environment variable after we select it a RewriteCond backref.
    # Then that env var an HTTP header for the proxy request
    RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
    RewriteRule .* - [E=SSLC_ON:%1]
    RequestHeader add X-SSL-Client-On %{SSLC_ON}e

    # Do the same with the SSL client's authenticated name
    RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
    RewriteRule .* - [E=SSLC_NAME:%1]
    RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e

    # Special conditional for when the incoming request has a query
    string.
    # Store the query string in a RewriteCond back-reference, so we can
    add
    # it into the proxy HTTP request
    RewriteCond %{QUERY_STRING} (.+)
    RewriteRule (foo.*) http://127.0.0.1:8080/$1?%1 [P,L]

    # Standard proxy request, for when there's no query string in the
    URL
    RewriteRule (foo.*) http://127.0.0.1:8080/$1 [P,L]
    </Location>

    -----------------------

    -Brian


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Bud P. Bruegger at Apr 8, 2005 at 4:21 pm
    At 11.44 08/04/2005 -0400, Brian Hughes '89 wrote:
    ...
    I have made initial experiments using RequestHeader (from mod-headers) to
    propagate the info. But I currently don't manage to access the
    REMOTE_USER environment variable on the proxy (RequestHeader add
    PropagatedRemoteUser "%{REMOTE_USER}e" fails to propagate any value).
    Also, I don't know whether it is possible to use mod-headers on the
    "protected" httpd (assuming it is Apache) to copy this propagated value
    to REMOTE_USER. But probably there are better approaches in the first place.
    Actually, I'd say that you've hit upon the "right way" to pass the
    authenticated information back to the application, through the proxy.
    However, you don't show us how you are actually doing the proxy hand-off.
    This can make a big difference as to what does and doesn't get passed.
    Actually I did use ProxyPass:

    <Location /bud>
    Allow from all
    ProxyPass http://www.gol.grosseto.it/cgi-bin/test-env
    ProxyPassReverse http://www.gol.grosseto.it/cgi-bin/test-env
    AuthType Basic
    AuthName "budRealm"
    AuthUserFile /var/www/budPwd
    Require user bud ezio
    RequestHeader add Remote_User "%{REMOTE_USER}e"
    </Location>
    Here's a snippet from the ssl.conf file on one of my web app servers. I'm
    using Apache to proxy/terminate the SSL, do client cert authentication and
    pass the authentication info back to application via reverse-proxy. The
    key thing here is using Rewrite engine for the proxy, not ProxyPass...
    thanks for the conf snipplet. I did some tests and it just works.

    Why is there such a difference between mod-rewrite and mod-proxy? I
    thought that mod-rewrite was using mod-proxy to do its work..

    Also, why is the env variable REMOTE_USER not directly available to
    mod-headers?

    So now (thanks to your help!) I manage to propagate the user info. Any
    suggestions how to fake basic authentication on the application
    server? Can I simply use RequestHeader add REMOTE_USER for this?

    many thanks!

    -b

    -----------------------

    <Location /foo>
    RewriteEngine on

    # Get the SSL client cert data, if present, and store in a temporary
    # environment variable after we select it a RewriteCond backref.
    # Then that env var an HTTP header for the proxy request
    RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
    RewriteRule .* - [E=SSLC_ON:%1]
    RequestHeader add X-SSL-Client-On %{SSLC_ON}e

    # Do the same with the SSL client's authenticated name
    RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
    RewriteRule .* - [E=SSLC_NAME:%1]
    RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e

    # Special conditional for when the incoming request has a query string.
    # Store the query string in a RewriteCond back-reference, so we can add
    # it into the proxy HTTP request
    RewriteCond %{QUERY_STRING} (.+)
    RewriteRule (foo.*) http://127.0.0.1:8080/$1?%1 [P,L]

    # Standard proxy request, for when there's no query string in the URL
    RewriteRule (foo.*) http://127.0.0.1:8080/$1 [P,L]
    </Location>

    -----------------------

    -Brian


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

    -------------------------------------------------------------------------------------------------
    Ing. Bud P. Bruegger, Ph.D. +39-0564-488577
    (voice), -21139 (fax)
    Servizio Elaborazione Dati e-mail: bud@comune.grosseto.it
    Comune di
    Grosseto http://www.comune.grosseto.it/cie/
    Via Ginori,
    43 http://OpenPortalGuard.sf.net
    58100 Grosseto (Tuscany, Italy) jabber: bud@amessage.info

    Free Software in Public Administration: not just a good idea, but a necessity

    Perfection is attained, not when there is nothing more to be added, but
    when there is nothing more to be taken away -- Antoine de Saint-Exupery


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Brian Hughes '89 at Apr 8, 2005 at 6:40 pm

    On Apr 8, 2005, at 12:26 PM, Bud P. Bruegger wrote:
    Actually I did use ProxyPass:

    <Location /bud>
    Allow from all
    ProxyPass http://www.gol.grosseto.it/cgi-bin/test-env
    ProxyPassReverse http://www.gol.grosseto.it/cgi-bin/test-env
    AuthType Basic
    AuthName "budRealm"
    AuthUserFile /var/www/budPwd
    Require user bud ezio
    RequestHeader add Remote_User "%{REMOTE_USER}e"
    </Location>
    Hmm... the top-down ordering of your directives seems off. Were I doing
    this I would definitely put the ProxyPass and ProxyPassReverse
    statements at the very bottom of the <Location> block. That won't
    necessarily ensure that your RequestHeader line will be added, but you
    have a much better chance of it being picked up if you put that
    statement before/above your proxy statements.
    thanks for the conf snipplet. I did some tests and it just works.
    Glad to hear it.
    Why is there such a difference between mod-rewrite and mod-proxy? I
    thought that mod-rewrite was using mod-proxy to do its work..
    I don't have an answer for that, really. But about the only thing I'm
    sure of is mod_rewrite is using the parts of mod_proxy that set up the
    X-Forwarded headers. Beyond that, I'm not sure.
    Also, why is the env variable REMOTE_USER not directly available to
    mod-headers?
    I'd be very surprised if it wasn't. I think this is related to the
    order in which you are defining your directives.
    So now (thanks to your help!) I manage to propagate the user info.
    Any suggestions how to fake basic authentication on the application
    server? Can I simply use RequestHeader add REMOTE_USER for this?
    That would depend on the application server... but I'm not sure if you
    can fake the encoding of the WWW-Authenticate header. Maybe for Basic
    (not sure how;), but I don't see any way to fake a Digest authenticate
    header, if you plan to make use of the more secure method...

    -Brian


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedApr 8, '05 at 3:09p
activeApr 8, '05 at 6:40p
posts4
users2
websitehttpd.apache.org
irc#httpd

People

Translate

site design / logo © 2022 Grokbase