Apache proxy: passing on REMOTE_USER to backend server
We are using shibboleth for authentication. Our shibboleth Service provider is running on a host that is running apache with reverse proxy configuration (mod_proxy). The applications using shibboleth are running in the backend, no SP is installed on these servers. We are getting all shibboleth headers on the backend servers.
Now I need the REMOTE_USER variable that is filled by shibboleth authentication on the proxy server to be available on the backend server. I"ve managed to get the value into HTTP_REMOTE_USER and pass it on the the backend servers but i'm struggling to put this value into REMOTE_USER on the backend server.
I would like to know what the difference is between HTTP_REMOTE_USER and REMOTE_USER and how to manipulate REMOTE_USER from the apache config without doing actual authentication.
You can send the value of REMOTE_USER on the query string sent to your backend servers:
RewriteCond %{LA-U:REMOTE_USER} (.*)
RewriteRule ^/test.asp(.*) test.asp?userid=%{LA-U:REMOTE_USER} [QSA,P,L]
The LA-U means lookahead. From the mod_rewrite manual:
%{LA-U:variable} can be used for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. This can be used to access variable for rewriting which is not available at the current stage, but will be set in a later phase.
For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates).