CODEWITHSUNDEEP
apachemod-rewritereverse-proxy
binoternary
binoternary

Reputation: 1915

Authentication with apache: pass group as header to application server

I would like to use Apache web server as a reverse proxy in front of an application server to handle authentication.
The idea is that after authentication Apache will pass on the user and group(s) to the app server in request headers.

How can I capture the group(s) of the authenticated user in an environment variable so that I can use it for setting request headers?

I've managed to write the user to a header like so:

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e

I'm assuming it would be similar for groups, but I can't find what variable I should use in RewriteCond. (Or is there another way to do it?)

RewriteCond %{???} (.+)  # <--- what variable should I use here
RewriteRule . - [E=RG:%1,NS]
RequestHeader set X-Forwarded-User-Groups %{RG}e

A more complete example of the configuration I'm trying to use:

<VirtualHost *:80>
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    <Location />
        AuthType Basic
        AuthBasicProvider file
        AuthName "Restricted Content"

        AuthUserFile "/path/to/userfile"
        AuthGroupFile "/path/to/groupfile"
        Require group users
        Require group admins

        RewriteEngine On

        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule . - [E=RU:%1,NS]
        RequestHeader set X-Forwarded-User %{RU}e

        RewriteCond %{???} (.+)
        RewriteRule . - [E=RG:%1,NS]
        RequestHeader set X-Forwarded-User-Groups %{RG}e

        RequestHeader unset Authorization
    </Location>
</VirtualHost>

Upvotes: 3

Views: 1754

Answers (1)

jmiserez
jmiserez

Reputation: 3109

I just had the same issue, and after an extensive search and looking at the mod_authz_groupfile.c source it just doesn't seem possible with just configuration.

The group is not exposed as a variable, and there doesn't seem to be a way to use the require group statement in an expression. You could probably get the group into a variable using the RewriteMap directive to read the AuthGroupsFile again with a custom external command (the default commands like txt aren't sufficient), but that is way complicated and probably slow.

Note that using the file function to read the AuthGroupsFile within an <If> expression will not work, as the expression is evaluated before authentication and thus the value of the REMOTE_USER variable will not yet be available.

Upvotes: 2

Related Questions