9

Using Apache 2.2 on Windows with mod_auth_sspi and mod_headers. I'm trying to pass the current authenticated user through to the proxy target in the X-Remote-User header.

I expect that this is simple, but I've been wrangling Apache for an hour now and can't find the secret sauce in documentation or google.

My configuration is as follows. It correctly authenticates the user with Active Directory, and then proxies the request through to the server sitting behind. However, the X-Remote-User header doesn't get added. It appears that the REMOTE_USER environment variable doesn't exist. Neither does AUTH_USER.

I know that the authenticated username is available somewhere, but how do I get it?

ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/

<Location /clsoap/>
    ProxyPassReverse /clsoap/

    AuthName "ADTest"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain primary.example.com
    SSPIUsernameCase lower
    SSPIOfferBasic Off
    Require valid-user

    RequestHeader set X-Remote-User "%{REMOTE_USER}e" env=REMOTE_USER
    RequestHeader set X-Auth-User "%{AUTH_USER}e" env=AUTH_USER
</Location>
brofield
  • 260
  • 1
  • 3
  • 12

2 Answers2

7

Yay. Another google session later trying different random keywords and I found this:

http://www.ruby-forum.com/topic/83067

http://old.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-to2911573.html#a2914465

This now works:

ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/

<Location /clsoap/>
    ProxyPassReverse /clsoap/

    AuthName "ADTest"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain primary.example.com
    SSPIUsernameCase lower
    SSPIOfferBasic Off
    Require valid-user

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X-Remote-User "%{RU}e" env=RU
</Location>
brofield
  • 260
  • 1
  • 3
  • 12
  • That rewrite rule for me ran into nesting problems described at http://fossplanet.com/f16/%5Busers@httpd%5D-inifite-loop-mod_sspi-mod_proxy-mod_rewrite-39460/. RewriteRule . - [E=RU:%1,NS] fixed it. – lkraav Aug 08 '11 at 11:06
  • @brofield using this rewrite rule you will get SamAccountName. But how to get UserPrincipalName? Thanks! – Eazy May 08 '15 at 10:55
3

I know this is an ancient post but since users still hit this I thought I would add that there is a world of difference in which variables are available in ssl environment "%{VAR}s" vs the non-ssl environment %{VAR}e

I found that pubcookie set the remote user only as a secure environment variable which I could forward via the following:

    RequestHeader set X-REMOTE-USER %{REMOTE_USER}s

NOTE: ends in s not in e!

Now this can be a potential security hole that leaks username information to hackers if you ever forward requests to other servers or use http. I only forward to localhost personally so this is not an issue for me.

Zack
  • 31
  • 1
  • The only working solution for me from way too much options I tried, thanks so much! I have httpd as a reverse proxy (with Kerberos connected to AD), forwarding HTTPS requests to Tomcat, on AIX LPAR. – mikiqex Jan 27 '16 at 12:08