1

I am not sure if this is the right place to ask this kind of question but in the same time I don't know any better place, so please bear with me.

I have configured Apache as reverse proxy to my PostGraphile service. My idea is to use Apache to do kerberos authentication and then make PostGraphile service available to authenticated users.

I also need to pass some custom headers to that service.

At this point in time I can have either kerberos authentication turned on or headers passed. As soon as I turn authentication on headers are not appearing on the service side.

This is my vhost config:

<VirtualHost *:80>
  <Location />
    AuthType Kerberos
    AuthName "Kerberos Authentication"
    KrbAuthRealsm MY.REALM
    KrbServiceName HTTP

    BrowseMatch Windows gssapi-no-negotiate
    KrbMethodNegotiate on

    KrbMethodK5Passwd off

    Krb5Keytab /path/to/keytab.keytab

    # require valid-user # with this line uncomented headers defined later do not appear on service side
    require all granted # with this line uncommented headers defined later do appear on service side however any user can access the service

    ProxyPass 'http://my.service:5000'
    ProxyPassReverse 'http://my.service:5000'
  </Location>
  <Proxy *>
    Order Deny,Allow
    Deny from all
    Allow from local.ip.range
  </Proxy>

  RequestHeader set MYCUSTOMHEADER foo
</VirtualHost>

I'm out of ideas.

I have been reading Apache documentation, auth_mode_kerb documentation, stack threads and blogs but it seems I'm encountering some weird bug here or missing something fundamental...

Any hints would be very welcome

Greg0ry
  • 87
  • 1
  • 12

1 Answers1

1

After experimenting I finally landed at solution that meets my needs however I must admit I have no idea why is this working the way it seems to be working.

If I add following to my configuration I can pass information I need within Authorization header.

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1]
RequestHeader add Authorization %{RU}e

However other custom headers are still not showing up, and this will remain a mystery to me.

edit:

After fiddling more I discovered that as soon as I overwrite Authorization header my custom headers show up as well. Would be great to understand if this is intended behavior (maybe security feature) or a bug within mod-auth-kerb..

edit:

Anonymous user highlighted that there is a typo in KrbAuthRealsm (should be KrbAuthRealm) - I don't have access to that test rig and can't remember if I was copying/pasting or typing but since that same anonymous user decided to remove the answer I add it here as edit.

Greg0ry
  • 87
  • 1
  • 12