| Tobias Walter 2005-10-24, 10:31 am |
| Hi,
I run a reverse proxy with mod_rewrite and authenticate users with
mod_auth_kerb.
Now I not only want to authenticate the user on the reverse proxy front
end but to authorize the user with software installed on the
hiddenserver. I try the following configuration to hand over the
authenticated user id as header HTTP_MY_USER to the hiddenserver behind
the revere proxy:
# authenticate Kerberos user
<Location />
AuthType Kerberos
require valid-user
</Location>
# put REMOTE_USER in Environment,
# mod_rewrite comes before authentication, so use subrequest
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /.* - [E=USER_IN_ENV:%1]
# Set my authorization header
RequestHeader set MY_USER %{USER_IN_ENV}e
# rewrite authenticated requests to the back end (reverse proxy
configuration)
RewriteRule ^/(.*) http://hiddenserver/$1 [P]
My problem is:
mod_auth_kerb succeeds authenticating the sub request done with LA-U.
But fails to authenticate the real request, because the real request
uses the identical authentication request params and Kerberos rejects it
as a replay of the sub request:
> gss_accept_sec_context() failed: Miscellaneous failure (Request is a
replay)
Without the LA-U the access to the hiddenserver succeeds - transparent
access only for Kerberos authenticated users but the hiddenserver has
no info about the user:
HTTP_MY_USER = (null)
Dose anyone have an idea how I could manage this, by only authenticating
the sub request or anything like that.
Thanks,
Tobias Walter
|