get the authenticated user under apache

http-headers authentication apache-2.2

Using Apache 2.2 on Windows with mod_auth_sspi and mod_headers. I'm trying to pass the current authenticated user through to the proxy target in the X-Remote-User header.

I expect that this is simple, but I've been wrangling Apache for an hour now and can't find the secret sauce in documentation or google.

My configuration is as follows. It correctly authenticates the user with Active Directory, and then proxies the request through to the server sitting behind. However, the X-Remote-User header doesn't get added. It appears that the REMOTE_USER environment variable doesn't exist. Neither does AUTH_USER.

I know that the authenticated username is available somewhere, but how do I get it?

ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/

<Location /clsoap/>
    ProxyPassReverse /clsoap/

    AuthName "ADTest"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain primary.example.com
    SSPIUsernameCase lower
    SSPIOfferBasic Off
    Require valid-user

    RequestHeader set X-Remote-User "%{REMOTE_USER}e" env=REMOTE_USER
    RequestHeader set X-Auth-User "%{AUTH_USER}e" env=AUTH_USER
</Location>

Solution 1:

Yay. Another google session later trying different random keywords and I found this:

http://www.ruby-forum.com/topic/83067

http://old.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-to2911573.html#a2914465

This now works:

ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/

<Location /clsoap/>
    ProxyPassReverse /clsoap/

    AuthName "ADTest"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain primary.example.com
    SSPIUsernameCase lower
    SSPIOfferBasic Off
    Require valid-user

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X-Remote-User "%{RU}e" env=RU
</Location>

Solution 2:

I know this is an ancient post but since users still hit this I thought I would add that there is a world of difference in which variables are available in ssl environment "%{VAR}s" vs the non-ssl environment %{VAR}e

I found that pubcookie set the remote user only as a secure environment variable which I could forward via the following:

    RequestHeader set X-REMOTE-USER %{REMOTE_USER}s

NOTE: ends in s not in e!

Now this can be a potential security hole that leaks username information to hackers if you ever forward requests to other servers or use http. I only forward to localhost personally so this is not an issue for me.

Related

How does one check whether the OS X "disabled" flag for launchd services is set?
How to deny access to php files inside a directory? nginx
Windows Server 2008 R2 grinds to a screeching halt during file copy operations
What if a tornado went through YOUR data center?
Hosting multiple repositories (svn, hg, git)
Listening to incoming libnotify notifications using DBus
Remove vocals from mp3 and get only instrumentals
How can I update my gnome to gnome 3.18?
Can I install Unity aside with XFCE and switch them as I want?
Reverse-Engineer Driver for Multi-colored Backlit Keyboard on Clevo Laptops
Are apsd, ntpd, mDNSResponder, trustd, netbiosd necessary for macOS functioning?
How to edit sender information in Pages' letter template?