I am not sure if this is the right place to ask this kind of question but in the same time I don't know any better place, so please bear with me.
I have configured Apache as reverse proxy to my PostGraphile service. My idea is to use Apache to do kerberos authentication and then make PostGraphile service available to authenticated users.
I also need to pass some custom headers to that service.
At this point in time I can have either kerberos authentication turned on or headers passed. As soon as I turn authentication on headers are not appearing on the service side.
This is my vhost config:
<VirtualHost *:80>
<Location />
AuthType Kerberos
AuthName "Kerberos Authentication"
KrbAuthRealsm MY.REALM
KrbServiceName HTTP
BrowseMatch Windows gssapi-no-negotiate
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /path/to/keytab.keytab
# require valid-user # with this line uncomented headers defined later do not appear on service side
require all granted # with this line uncommented headers defined later do appear on service side however any user can access the service
ProxyPass 'http://my.service:5000'
ProxyPassReverse 'http://my.service:5000'
</Location>
<Proxy *>
Order Deny,Allow
Deny from all
Allow from local.ip.range
</Proxy>
RequestHeader set MYCUSTOMHEADER foo
</VirtualHost>
I'm out of ideas.
I have been reading Apache documentation, auth_mode_kerb documentation, stack threads and blogs but it seems I'm encountering some weird bug here or missing something fundamental…
Any hints would be very welcome
Best Answer
After experimenting I finally landed at solution that meets my needs however I must admit I have no idea why is this working the way it seems to be working.
If I add following to my configuration I can pass information I need within
Authorization
header.However other custom headers are still not showing up, and this will remain a mystery to me.
edit:
After fiddling more I discovered that as soon as I overwrite Authorization header my custom headers show up as well. Would be great to understand if this is intended behavior (maybe security feature) or a bug within mod-auth-kerb..
edit:
Anonymous user highlighted that there is a typo in
KrbAuthRealsm
(should beKrbAuthRealm
) - I don't have access to that test rig and can't remember if I was copying/pasting or typing but since that same anonymous user decided to remove the answer I add it here as edit.