Mod-proxy-add-user is a project mainly written in C, based on the View license.
a tiny apache module to pass REMOTE_USER via headers to proxy servers
=== Introduction ===
Some authentication apache modules don't set the REMOTE_USER header field during the fixup phase of the API. As a side effect, such headers can't be dispatched to proxified applications as they are set too late. The only solution is to use a tricky module, registered between the authentication process and the mod_proxy handler, which can retrieve the REMOTE_USER field and set it to output headers, just before beeing send by mod_proxy.
As the result, REMOTE_USER can be catched even in proxified applications.
=== Installation ===
Don't use a2enmod unless you know what you are doing, the order of loading is important (see Configuration).
=== Configuration ===
Configuration of the module is tricky as it depends on the order on which the modules are loaded.
Extract of httpd.conf :
LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so LoadModule proxy_add_user_module /usr/lib/apache2/modules/libproxy_add_user.so LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
The module has two settings working on a per directory basis (they can be added to Proxy) :
Here is an example of configuration :
<Proxy *> Order deny,allow Allow from all ProxyAddUser On # Enable the module ProxyAddUserKey "IDENTITY" # Set header field to IDENTITY AuthOpenIDEnabled On
=== Security ===
You can't trust the X-REMOTE_USER header field unless you are sure your web application is only reachable by the proxy. Every http request must pass by the proxy.
=== Notes ===
This module was written thanks to a nice article which can be found here : http://www.jaddog.org/2010/03/22/how-to-proxy-pass-remote_user/ .