Apache as authentication proxy

Question

We are trying to implement authentication proxy from Apache httpd. This should secure application that uses Basic Authentication but user should authenticate with httpd's authentication (mod_auth_cas in our case).

I can add RequestHeader with proper Authorised value that sends credentials to application but it's static with just one user that authenticates.

Is there some way to set RequestHeader value with script? Or some other method to build such authentication proxy?

I'm already considering cgi script that will handle the proxy function. But that seems to me like highway to hell.

Answer 1

This is almost a solution:

RewriteEngine on

# Create a RewriteMap to do base64 encoding:
RewriteMap base64map "prg:/usr/bin/base64"

# Put the base64-encoded user:password string into an environment variable:
RewriteRule .* - [E=AUTHN:${base64map:%{LA-U:REMOTE_USER}:%{LA-U:REMOTE_PASS}},NE]  

# Put the encoded user:password string into the Authorization header:
RequestHeader Authorization "Basic %{AUTHN}e"

(See the mod_rewrite docs for an explanation of why LA-U is needed.)

But there's one thing missing: the user's password. In the above I used the REMOTE_PASS environment variable as if that will be set, but usually there is no such variable.

You are going to have to somehow get mod_auth_cas to put the user's password into an environment variable, say REMOTE_PASS, or get it from a request header. Without the user's password, you don't have enough information to set the Authorization header.