I have a service running behind a Apache Reverse-Proxy that uses the custom headers "username" and "role" to identify users and their role.
I want Apache HTTPD to restrict access to to people whose custom HTTP-header "groupmembership" contains one of the following: "viewer","publisher","administrator".
The Apache sits behind another proxy which authenticates users and populates the HTTP Headers "username" and "groupmembership" where the contents of "groupmembership" is a comma-separated list with groups.
For reference I have included a draft of the architecture.
http-proxy-auth
How would this be possible? I have tried using a require directive like Require expr %{HTTP:iv_groupmembership} in { 'viewer', 'publisher', 'administrator' }
inside <Location />
to no avail.
Could this instead work with mod_rewrite?
Here is the reverse-proxy config using mod_proxy and mod_rewrite:
RewriteEngine on
<Proxy *>
Allow from all
</Proxy>
ProxyRequests Off
# store variable values with dummy rewrite rules
RewriteRule . - [E=req_scheme:%{REQUEST_SCHEME}]
RewriteRule . - [E=http_host:%{HTTP_HOST}]
RewriteRule . - [E=req_uri:%{REQUEST_URI}]
# set header with variables
RequestHeader set X-RSC-Request "%{req_scheme}e://%{http_host}e%{req_uri}e"
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://localhost:3939/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://localhost:3939/$1 [P,L]
ProxyPass / http://172.17.0.1:3939/
ProxyPassReverse / http://172.17.0.1:3939/
Thanks for any hints.
Edit: Basically, the question boils down to: How can I check if the comma-separated list in the groupmembership
Header contains either 'Administrator', 'Publisher' or 'Viewer'
Best Answer
This should do it. If you have a comma-separated list in header
groupmembership
, then use the first regex expression. One value in the list has to match to grant access.If you want to match an exact value in
iv_groupmembership
, then uncomment thesecondthird expression (and comment the first).Edit:
RequestHeader set role
example, uncomment as needed. I only tested this withHeader set role
(in the response, no backend), but should work withRequestHeader
the same way.Edit2:
<Location/>
for clarityX-Auth-Token
check combined withgroupmembership
Sample config:
Modifying the headers in Apache (like
RequestHeader set iv_groupmembership "viewer"
) to debug/test the config doesn't work, you need to set the header very early.https://httpd.apache.org/docs/2.4/expr.html#vars
You can test the configuration with wget from commandline, replace
localhost
with your hostname.Tested with Apache/2.4.25 (Debian)