a tiny apache module to pass REMOTE_USER via headers to proxy servers
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
AUTHORS
COPYING
ChangeLog
Makefile
README
README.md
proxy_add_user.c

README.md

proxy-add-user

Introduction

Some authentication apache modules don't set the REMOTE_USER header field during the fixup phase of the API. As a side effect, such headers can't be dispatched to proxified applications as they are set too late. The only solution is to use a tricky module, registered between the authentication process and the mod_proxy handler, which can retrieve the REMOTE_USER field and set it to output headers, just before beeing send by mod_proxy.

As the result, REMOTE_USER can be catched even in proxified applications.

Installation

  • Compile the module (make all)
  • Copy the module to the apache module directory (sudo make install)

Don't use a2enmod unless you know what you are doing, the order of loading is important (see Configuration).

Configuration

Configuration of the module is tricky as it depends on the order on which the modules are loaded.

Extract of httpd.conf :

    LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so
    LoadModule proxy_add_user_module /usr/lib/apache2/modules/mod_proxy_add_user.so
    LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so

The module has two settings working on a per directory basis (they can be added to Proxy) :

  • ProxyAddUser to enable or not the module (on/off)
  • ProxyAddUserKey to customize the header key to be set (default is "X-REMOTE_USER")

Here is an example of configuration :

    <Proxy *>
     Order                  deny,allow
     Allow                  from all
     ProxyAddUser           On                 # Enable the module
     ProxyAddUserKey        "OpenID-IDENTITY"  # Set header field to OpenID-IDENTITY
     AuthOpenIDEnabled      On
    </Proxy>

Security

You can't trust the X-REMOTE_USER header field unless you are sure your web application is only reachable by the proxy. Every http request must pass by the proxy.

Notes

This module was written thanks to a nice article which can be found here : http://www.jaddog.org/2010/03/22/how-to-proxy-pass-remote_user/ .