Apache forward REMOTE_USER to X-Forwarded-User

apache-2.2x-forwarded-for

I would like to pass the environment variable REMOTE_USER set by apache when HTTP basic authentication is correct to a backend. This would provide authentication to the backend server as well.

Here is my apache2 configuration file:

<Directory />
  AuthType basic
  AuthUserFile $my_file
  require valid-user
  RewriteEngine on
  RewriteCond %{REMOTE_USER} (.+)
  RequestHeader set X-Forwarded-User %{REMOTE_USER}e
</Directory>

Authentication by apache2 goes well, as I am properly redirected to the backend server, but then, backend server does not receive the REMOTE_USER as the X-Forwarded-User variable does not appear in tcpdump trace.

What may I have forgotten/misconfigured which does not let this REMOTE_USER variable being forwarded to backend as X-Forwarded-User?

Best Answer

REMOTE_USER is not actually an environment variable inside Apache, but is instead set by Apache when running things like CGI or PHP handlers.

The actual value is embedded in a structure within Apache. See Apache documentation on Environment Variables

Perhaps you need to be ENV: as a prefix.

<Directory />
  AuthType basic
  AuthUserFile $my_file
  require valid-user
  RewriteEngine on
  RewriteCond %{ENV:REMOTE_USER} (.+)
  RequestHeader set X-Forwarded-User %{ENV:REMOTE_USER}e
</Directory>

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Ssl – Django running on Apache+WSGI and apache SSL proxying

My solution thanks to Graham:



<Location /dirname>
    SSLVerifyClient      none
    SSLOptions           +FakeBasicAuth
    SSLRequireSSL
    AuthName             "name Authentication"
    AuthType             Basic
    AuthUserFile         /etc/httpd/stuff.passwd
    require              valid-user

    RequestHeader set X-Url-Scheme https


</Location>

ProxyPass /dirname http://django.test/dirname
ProxyPassReverse /dirname http://django.test/dirname

On django.test I added this :

 SetEnvIf X-Url-Scheme https HTTPS=1

after

  WSGIScriptAlias /dirname /path_to_wsgi_script/django.wsgi

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Ssl – Django running on Apache+WSGI and apache SSL proxying

Related Topic