Apache proxy: passing on REMOTE_USER to backend server

Question

We are using shibboleth for authentication. Our shibboleth Service provider is running on a host that is running apache with reverse proxy configuration (mod_proxy). The applications using shibboleth are running in the backend, no SP is installed on these servers. We are getting all shibboleth headers on the backend servers.

Now I need the REMOTE_USER variable that is filled by shibboleth authentication on the proxy server to be available on the backend server. I"ve managed to get the value into HTTP_REMOTE_USER and pass it on the the backend servers but i'm struggling to put this value into REMOTE_USER on the backend server.

I would like to know what the difference is between HTTP_REMOTE_USER and REMOTE_USER and how to manipulate REMOTE_USER from the apache config without doing actual authentication.

What is your remote application running? Is there any reason why you can't run the SP there? — David Pashley, Jun 10 '09 at 13:38
We like the simplicity of having one SP on the proxy that controls the shib configuration for all the backend applications. — Wouter, Jun 11 '09 at 08:18
Are you using Django? Django adds the "HTTP_". It isn't really part of the header, it's just a prefix Django adds. — S.Lott, Dec 12 '10 at 16:03
See : http://serverfault.com/questions/180726/remote-user-through-apache-reverse-proxy — Rianto Wahyudi, Jun 26 '13 at 00:57

score 1 · Answer 1 · edited Jun 11 '20 at 10:02

You can send the value of REMOTE_USER on the query string sent to your backend servers:

RewriteCond %{LA-U:REMOTE_USER} (.*)
RewriteRule ^/test.asp(.*) test.asp?userid=%{LA-U:REMOTE_USER} [QSA,P,L]

The LA-U means lookahead. From the mod_rewrite manual:

%{LA-U:variable} can be used for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. This can be used to access variable for rewriting which is not available at the current stage, but will be set in a later phase.

For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates).

score 0 · Accepted Answer · answered Jun 17 '09 at 19:49

I wanted to do exactly the same as you with shibboleth. But unfortunately I found this on the corresponding apache docs. REMOTE_USER is part of the CGI standard therefore cannot be modified with apache directives.

It is not possible to override or change the standard CGI variables using the environment manipulation directives.

Apache proxy: passing on REMOTE_USER to backend server

2 Answers2

Linked