Using Apache variable

apache-2.2http-headersmod-authreverse-proxy

I'm trying to use Apache's OpenID authentication module. According to this page, I should be able to use the REMOTE_USER Apache variable to identify the user. I'd like to pass this as a header to an upstream application (I'm using Apache to authenticate and reverse-proxy).

My Apache site config is as follows:

<VirtualHost *:80>

  ProxyPass / http://localhost:3000/
  ProxyPassReverse / http://localhost:3000/

  <Location />
    AuthType OpenID
    require valid-user
    AuthOpenIDAXRequire email http://axschema.org/contact/email @muller\.io$
    AuthOpenIDAXUsername email
    RequestHeader set x-username $REMOTE_USER
  </Location>
</VirtualHost>

I've searched and searched, but the most I can find is how to use an environment variable in this context. I've verified that a hard-coded string works (actually the above passes the string "$REMOTE_USER" to my application).

If mod_auth_openid is setting the REMOTE_USER variable within Apache, how can I then pass that upstream to my app?

Best Answer

After digging some more, I found this page with the following code:

 RewriteEngine On
 RewriteCond %{REMOTE_USER} (.+)
 RewriteRule . - [E=RU:%1]
 RequestHeader set REMOTE_USER %{RU}e

This was the magic bullet that fixed it for me. I read some pages that suggest this may be incorrect (and indeed it looks kludgy), so please feel free to recommend something better.

Related Solutions

Tomcat cookies not working via the ProxyPass VirtualHost

I figured it out.

Add this to the VHost configuration:

ProxyPassReverseCookiePath /webapp /

REMOTE_USER through Apache reverse proxy

This is possible with mod_headers, mod_rewrite, and mod_proxy.

On the proxy, I assume you have your authentication working and setting REMOTE_USER appropriately. If so, then put the value of REMOTE_USER into a Proxy-User header to the backend like this:

RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}] # note mod_rewrite's lookahead option
RequestHeader set Proxy-User %{PROXY_USER}e

Here's what happens:

The RewriteRule fires for every request and sets the environment variable PROXY_USER equal to the value of REMOTE_USER, which should have been set already by an auth module.
The RequestHeader sets a request header named Proxy-User with the value of PROXY_USER

Now on the backend, you can pull that header value and set REMOTE_USER like this:

RewriteCond %{HTTP:Proxy-user} ^(.*)$
RewriteRule .* - [E=REMOTE_USER:%1]

Here's what happens:

The RewriteCondition checks the value of the Proxy-User header to see if it matches the pattern ^.*$ (which it will). The parentheses tells mod_rewrite to store that value in %1.
The RewriteRule then sets the environment variable REMOTE_USER with the value in %1.

Best Answer

Related Solutions

Tomcat cookies not working via the ProxyPass VirtualHost

REMOTE_USER through Apache reverse proxy

Related Topic