Passing Apache reverse-proxy auth from Windows to Linux
Technical post here, but this one stumped me for a long time. This is another one of those “I’ll post it and hope it saves somebody else some time” write ups.
Problem
I’m running Apache web servers on Windows – because it’s an intranet environment, everybody uses IE (well: I use Firefox) and I know their Windows login thanks to mod_auth_sspi.
Then I wanted to setup an Apache server on Linux reached via the Windows server acting as a reverse-proxy front-end /and/ I wanted the Linux server to also know their Windows login.
First Try: Kerberos
Hooking up Linux to authenticate with a keytab file to our AD server via Kerberos: complicated, but it works. (I was pleasantly surprised!)
Navigating to the Linux box directly, it would properly pick up my AD username from any browser that knew to send it along. (Only Firefox with manual configuration, and IE, at this time.)
Through the reverse-proxy, however, I would send my AD credentials to the Windows box via SSPI, but then nothing was sent to the Linux box, and any auth attempts failed.
No combination of proxy-pass-auth, SSPI on or off, and Kerberos on or off got me what I needed.
Solution: Just pass the remote_user header
Instead, I decided to turn off Kerberos entirely on the Linux box (yeah… all that work for nothing), let the front-end box handle all the auth via SSPI, and used mod_rewrite to send the headers that it needed.
Here’s the related Apache config
<Location /test_auth/>
ProxyPass http://srv-apache-a02/webapps/
ProxyPassReverse http://srv-apache-a02/webapps/
# (this line probably not needed any more)
SetEnv Proxy-Chain-Auth On
RewriteEngine On
# (This RewriteRule doesn't actually rewrite anything URL-wise.)
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1]
# Put the username into a request header:
RequestHeader set X_REMOTE_USER %{RU}e
</Location>
Now, in PHP I can use $_SERVER['HTTP_X_REMOTE_USER'] to get what would normally be the $_SERVER['REMOTE_USER'] value.
Of course, I’ll lock down the Linux box so it only responds to requests from the Windows box – otherwise, its contents are browsable by anyone and not auth takes place.