How to make squid revere proxy with authentication send remote_user header

http-authenticationreverse-proxysquid

OS CentOS 6.4 – squid 3.1

I currently have squid running as a reverse proxy, performing NTML authentication succesfully. This is working as expected. If I enter valid AD username and password, it lets me in. If I don't, I get a 401.

What I'm struggling to work out is how to I pass over the authentication user details. I would expect my webserver sat behind the squid proxy to receive a header with something like REMOTE_USER set as 'domain\username' but this isn't the case.

Google searches are not returning anything useful. It's all to do with doing the authentication in the first place, but I have this running OK.

Here's what I currently have in my squid.conf file

## NTLM setup
http_port 3128 accel defaultsite=####
cache_peer 127.0.0.1 parent 80 0 no-query originserver
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl ntlm proxy_auth REQUIRED
http_access allow ntlm
http_access deny all

Best Answer

I've got this working succesfully.

By adding login=*:NOPASSWORD I now get a PHP_AUTH_USER variable. The full squid.conf looks like:

http_port 3128 accel defaultsite=####
cache_peer #### parent 80 0 no-query login=*:NOPASSWORD         originserver
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl ntlm proxy_auth REQUIRED
http_access allow ntlm
http_access deny all

A dump of $_SERVER looks like:

Array
(
    [USER] => ####
    [HOME] => /var/www
    [FCGI_ROLE] => RESPONDER
    [SCRIPT_FILENAME] => ####
    [QUERY_STRING] => 
    [REQUEST_METHOD] => GET
    [CONTENT_TYPE] => 
    [CONTENT_LENGTH] => 
    [SCRIPT_NAME] => /index.php
    [REQUEST_URI] => /
    [DOCUMENT_URI] => /index.php
    [DOCUMENT_ROOT] => ####
    [SERVER_PROTOCOL] => HTTP/1.1
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_SOFTWARE] => nginx/1.0.15
    [REMOTE_ADDR] => 10.55.56.53
    [REMOTE_PORT] => 49734
    [SERVER_ADDR] => 10.55.151.53
    [SERVER_PORT] => 80
    [SERVER_NAME] => ####
    [REDIRECT_STATUS] => 200
    [HTTP_HOST] => ####
    [HTTP_CONNECTION] => keep-alive
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*    /*;q=0.8
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like     Gecko) Chrome/32.0.1700.107 Safari/537.36
    [HTTP_ACCEPT_ENCODING] => gzip,deflate,sdch
    [HTTP_ACCEPT_LANGUAGE] => en-GB,en;q=0.8,en-US;q=0.6,it;q=0.4
    _pk_id.1.6d65=a3acbf13e64ec9b2.1412689051.1.1412690332.1412689051.;_pk_ses.1.6d65=*
    [HTTP_IF_NONE_MATCH] => "1412690326"
    [HTTP_IF_MODIFIED_SINCE] => Tue, 07 Oct 2014 13:58:46 +0000
    [PHP_SELF] => /index.php
    [PHP_AUTH_USER] => DOMAIN\USERNAME
    [PHP_AUTH_PW] => NOPASSWORD
    [REQUEST_TIME] => 1412690470
)
Related Topic