Some authentication apache modules don't set the REMOTE_USER header field during the fixup phase of the API. As a side effect, such headers can't be dispatched to proxified applications as they are set too late. The only solution is to use a tricky module, registered between the authentication process and the mod_proxy handler, which can retrieve the REMOTE_USER field and set it to output headers, just before beeing send by mod_proxy.
As the result, REMOTE_USER can be catched even in proxified applications.
- Compile the module (make all)
- Copy the module to the apache module directory (sudo make install)
Don't use a2enmod unless you know what you are doing, the order of loading is important (see Configuration).
Configuration of the module is tricky as it depends on the order on which the modules are loaded.
Extract of httpd.conf :
LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so
LoadModule proxy_add_user_module /usr/lib/apache2/modules/mod_proxy_add_user.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
The module has two settings working on a per directory basis (they can be added to Proxy) :
- ProxyAddUser to enable or not the module (on/off)
- ProxyAddUserKey to customize the header key to be set (default is "X-REMOTE_USER")
Here is an example of configuration :
<Proxy *>
Order deny,allow
Allow from all
ProxyAddUser On # Enable the module
ProxyAddUserKey "OpenID-IDENTITY" # Set header field to OpenID-IDENTITY
AuthOpenIDEnabled On
</Proxy>
You can't trust the X-REMOTE_USER header field unless you are sure your web application is only reachable by the proxy. Every http request must pass by the proxy.
This module was written thanks to a nice article which can be found here : http://www.jaddog.org/2010/03/22/how-to-proxy-pass-remote_user/ .