summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Pazdziora <jpazdziora@redhat.com>2014-01-17 14:41:19 +0800
committerJan Pazdziora <jpazdziora@redhat.com>2016-01-20 09:03:10 +0100
commit5a869128a4371445471bcd86392680c096240d2c (patch)
tree56a8d2f7eaa16478070880e0ccb5d22b3e145b01
parentcdaaa88a4c9b516080555aa8b9f9df65ad0b5b90 (diff)
downloadCGI-sessions-proxy-setup.zip
CGI-sessions-proxy-setup.tar.gz
CGI-sessions-proxy-setup.tar.xz
Process incoming HTTP headers in application on backend.proxy-setup
Caution: make sure the application is only accessible via a proxy which will properly clear and set these headers, so that the end user cannot gain extra privileges.
-rw-r--r--README12
-rwxr-xr-xapp.cgi8
-rw-r--r--app.conf13
-rw-r--r--lookup_identity.conf23
-rw-r--r--proxy_frontend.conf13
5 files changed, 64 insertions, 5 deletions
diff --git a/README b/README
index 1368955..c191769 100644
--- a/README
+++ b/README
@@ -4,11 +4,17 @@ with login form and logout page. It is intentionally written in simple
perl with the CGI.pm module only used to parse POST values and HTTP
cookie values, to make it easy to tweak and explore.
-If the script is placed to /var/www/app/app.cgi, the following Apache
-httpd directive will enable it on http://server-name/application
+If the script is placed to /var/www/backend/app.cgi, the following Apache
+httpd directive will enable it on backend http://server-name/bapplication
location:
- ScriptAlias /application /var/www/app/app.cgi
+ ScriptAlias /bapplication /var/www/backend/app.cgi
+
+Then on the frontend server
+
+ ProxyPass /application http://server-name/bapplication
+
+will ensure redirection to the backend server.
The script uses HTTP cookie the-test-cookie to either have value
ok:login to mean user login is logged in, or value xx to mean the user
diff --git a/app.cgi b/app.cgi
index badc13a..31a9f4a 100755
--- a/app.cgi
+++ b/app.cgi
@@ -22,6 +22,14 @@ my $LOGIN = '/login';
my $LOGOUT = '/logout';
my $AUTH_COOKIE = 'the-test-cookie';
+if (defined $ENV{FRONTEND_SCRIPT_NAME}) {
+ $ENV{SCRIPT_NAME} = $ENV{FRONTEND_SCRIPT_NAME};
+
+ for my $x (map { /^HTTP_(REMOTE_USER.*)/ ? ($1) : () } keys %ENV) {
+ $ENV{$x} = $ENV{"HTTP_$x"};
+ }
+}
+
my $q = new CGI;
my $cookie = $q->cookie($AUTH_COOKIE);
my ($user, $name);
diff --git a/app.conf b/app.conf
index bba0242..736123b 100644
--- a/app.conf
+++ b/app.conf
@@ -1,3 +1,12 @@
+Listen localhost:8888
+<VirtualHost localhost:8888>
+ServerName localhost:8888
+ScriptAlias /bapplication /var/www/backend/app.cgi
-ScriptAlias /application /var/www/app/app.cgi
-
+<Location /bapplication>
+ SetEnv FRONTEND_SCRIPT_NAME /application
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1 ::1
+</Location>
+</VirtualHost>
diff --git a/lookup_identity.conf b/lookup_identity.conf
index 8022d07..5377c28 100644
--- a/lookup_identity.conf
+++ b/lookup_identity.conf
@@ -6,5 +6,28 @@ LookupUserAttr mail REMOTE_USER_EMAIL " "
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
LookupUserGroups REMOTE_USER_GROUPS ":"
+LookupUserGroupsIter REMOTE_USER_GROUP
+
+RequestHeader unset REMOTE-USER-EMAIL
+RequestHeader unset REMOTE-USER-FIRSTNAME
+RequestHeader unset REMOTE-USER-LASTNAME
+RequestHeader unset REMOTE-USER-GECOS
+RequestHeader unset REMOTE-USER-GROUPS
+
+RequestHeader unset REMOTE-USER-GROUP-N
+RequestHeader unset REMOTE-USER-GROUP-1
+RequestHeader unset REMOTE-USER-GROUP-2
+RequestHeader unset REMOTE-USER-GROUP-3
+
+RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+RequestHeader set REMOTE-USER-GECOS %{REMOTE_USER_GECOS}e env=REMOTE_USER_GECOS
+RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+
+RequestHeader set REMOTE-USER-GROUP-N %{REMOTE_USER_GROUP_N}e env=REMOTE_USER_GROUP_N
+RequestHeader set REMOTE-USER-GROUP-1 %{REMOTE_USER_GROUP_1}e env=REMOTE_USER_GROUP_1
+RequestHeader set REMOTE-USER-GROUP-2 %{REMOTE_USER_GROUP_2}e env=REMOTE_USER_GROUP_2
+RequestHeader set REMOTE-USER-GROUP-3 %{REMOTE_USER_GROUP_3}e env=REMOTE_USER_GROUP_3
</LocationMatch>
diff --git a/proxy_frontend.conf b/proxy_frontend.conf
new file mode 100644
index 0000000..537c820
--- /dev/null
+++ b/proxy_frontend.conf
@@ -0,0 +1,13 @@
+ProxyPass /application http://localhost:8888/bapplication
+
+<LocationMatch ^/application/login>
+RequestHeader unset Authorization
+
+# Put mod_auth_kerb's authentication result (r->user) to env variable
+RewriteEngine on
+RewriteCond %{REMOTE_USER} (.+)
+RewriteRule ^.+$ - [E=REMOTE_USER:%1]
+
+RequestHeader unset REMOTE-USER
+RequestHeader set REMOTE-USER %{REMOTE_USER}e env=REMOTE_USER
+</LocationMatch>