6

I have an Apache webserver with mod_proxy enabled and a Virtualhost, proxy.domain.com. This proxy is configured to prompt the user for credentials with AuthType Basic. Then, the content of web.domain.com is available through the proxy with ProxyPass and ProxyReverse. However, the REMOTE_USER variable is empty. I read different things to achieve this with mod_rewrite and mod_headers but all my tries have failed. Does anybody has been luckier than me?

Thanks.

Laurent Nominé
  • 557
  • 1
  • 5
  • 16
  • Check [this post](https://stackoverflow.com/a/38484871/267197) for solution without `mod_rewrite`. – dma_k Mar 18 '19 at 23:46

4 Answers4

13

This is possible with mod_headers, mod_rewrite, and mod_proxy.

On the proxy, I assume you have your authentication working and setting REMOTE_USER appropriately. If so, then put the value of REMOTE_USER into a Proxy-User header to the backend like this:

RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}] # note mod_rewrite's lookahead option
RequestHeader set Proxy-User %{PROXY_USER}e

Here's what happens:

  1. The RewriteRule fires for every request and sets the environment variable PROXY_USER equal to the value of REMOTE_USER, which should have been set already by an auth module.
  2. The RequestHeader sets a request header named Proxy-User with the value of PROXY_USER

Now on the backend, you can pull that header value and set REMOTE_USER like this:

RewriteCond %{HTTP:Proxy-user} ^(.*)$
RewriteRule .* - [E=REMOTE_USER:%1]

Here's what happens:

  1. The RewriteCondition checks the value of the Proxy-User header to see if it matches the pattern ^.*$ (which it will). The parentheses tells mod_rewrite to store that value in %1.
  2. The RewriteRule then sets the environment variable REMOTE_USER with the value in %1.
user95512
  • 3
  • 2
beans
  • 1,550
  • 13
  • 16
  • It's quite obvious now, but for all the other users who might spend quite a bit of time debugging why the `PROXY_USER` is still empty (and thinking it must be because you're using `mod_krb5` instead of basic auth: you also need `RewriteEngine On` for this to work as the environment variable is created by `mod_rewrite`. Doh. :( – Dalibor Karlović Oct 01 '15 at 09:54
  • I've had no luck with this config until I moved all my RewriteRule and RequestHeader directives into a `.htaccess` file (and removed the `LA-U:` prefix). Otherwise the Proxy-user header would remain blank. Apache 2.4.7 on Ubuntu. – Marius Gedminas Sep 20 '16 at 06:54
0

Example to populate header X-Remote-User with the content of REMOTE_USER variable after being authenticated and send that header to a backend proxy (apache 2.4.6).

# Example for Apache 2.4.6

<VirtualHost *:80>

RewriteEngine on
<Location />

    ###############################################
    # Your authentication logic here
    AuthType .......
    AuthName .......
    AuthBasicProvider .......
    .... etc
    Require valid-user
    ###############################################

    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X-Remote-User %{RU}e

</Location>

    ProxyTimeout 300
    ProxyPass / http://localhost:81/
    ProxyPassReverse / http://localhost:81/

</VirtualHost>
Juan Domenech
  • 1
0

On apache 2.4, trying to get the env vars produced by mod_authnz_ldap and mod_kerb, this is what worked.

Let's say you are looking for AUTHORIZE_sAMAccountName, 

RewriteEngine On
RewriteRule .* - [E=THE_ACCOUNT_NAME:%{ENV:AUTHORIZE_sAMAccountName}] 
RequestHeader set MY_ACCOUNT_NAME %{THE_ACCOUNT_NAME}e

After that, the HEADER can be for example logged:

CustomLog /tmp/custom.log "%h %l %u %t \"%r\" %>s %b %{MY_ACCOUNT_NAME}i"

References:

Jehan Bruggeman
  • 101
  • 1
0

On the backend side you can also use standard mod_auth_basic if you don't want to mess with mod_rewrite. Assuming you pass the user in as X-Remote-User:

<Location />
  AuthBasicFake "%{HTTP:X-Remote-User}" "password"
</Location>

This only works in 2.4 but has the extra benefit of setting up the other aspects of true mod_auth (i.e. PHP's auth support)

E. Stuart Hicks
  • 1
  • 1