diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-17 14:41:19 +0800 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2016-01-20 09:03:10 +0100 |
commit | 5a869128a4371445471bcd86392680c096240d2c (patch) | |
tree | 56a8d2f7eaa16478070880e0ccb5d22b3e145b01 | |
parent | cdaaa88a4c9b516080555aa8b9f9df65ad0b5b90 (diff) | |
download | CGI-sessions-proxy-setup.tar.gz CGI-sessions-proxy-setup.tar.xz CGI-sessions-proxy-setup.zip |
Process incoming HTTP headers in application on backend.proxy-setup
Caution: make sure the application is only accessible via a proxy
which will properly clear and set these headers, so that the end user
cannot gain extra privileges.
-rw-r--r-- | README | 12 | ||||
-rwxr-xr-x | app.cgi | 8 | ||||
-rw-r--r-- | app.conf | 13 | ||||
-rw-r--r-- | lookup_identity.conf | 23 | ||||
-rw-r--r-- | proxy_frontend.conf | 13 |
5 files changed, 64 insertions, 5 deletions
@@ -4,11 +4,17 @@ with login form and logout page. It is intentionally written in simple perl with the CGI.pm module only used to parse POST values and HTTP cookie values, to make it easy to tweak and explore. -If the script is placed to /var/www/app/app.cgi, the following Apache -httpd directive will enable it on http://server-name/application +If the script is placed to /var/www/backend/app.cgi, the following Apache +httpd directive will enable it on backend http://server-name/bapplication location: - ScriptAlias /application /var/www/app/app.cgi + ScriptAlias /bapplication /var/www/backend/app.cgi + +Then on the frontend server + + ProxyPass /application http://server-name/bapplication + +will ensure redirection to the backend server. The script uses HTTP cookie the-test-cookie to either have value ok:login to mean user login is logged in, or value xx to mean the user @@ -22,6 +22,14 @@ my $LOGIN = '/login'; my $LOGOUT = '/logout'; my $AUTH_COOKIE = 'the-test-cookie'; +if (defined $ENV{FRONTEND_SCRIPT_NAME}) { + $ENV{SCRIPT_NAME} = $ENV{FRONTEND_SCRIPT_NAME}; + + for my $x (map { /^HTTP_(REMOTE_USER.*)/ ? ($1) : () } keys %ENV) { + $ENV{$x} = $ENV{"HTTP_$x"}; + } +} + my $q = new CGI; my $cookie = $q->cookie($AUTH_COOKIE); my ($user, $name); @@ -1,3 +1,12 @@ +Listen localhost:8888 +<VirtualHost localhost:8888> +ServerName localhost:8888 +ScriptAlias /bapplication /var/www/backend/app.cgi -ScriptAlias /application /var/www/app/app.cgi - +<Location /bapplication> + SetEnv FRONTEND_SCRIPT_NAME /application + Order deny,allow + Deny from all + Allow from 127.0.0.1 ::1 +</Location> +</VirtualHost> diff --git a/lookup_identity.conf b/lookup_identity.conf index 8022d07..5377c28 100644 --- a/lookup_identity.conf +++ b/lookup_identity.conf @@ -6,5 +6,28 @@ LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME LookupUserGroups REMOTE_USER_GROUPS ":" +LookupUserGroupsIter REMOTE_USER_GROUP + +RequestHeader unset REMOTE-USER-EMAIL +RequestHeader unset REMOTE-USER-FIRSTNAME +RequestHeader unset REMOTE-USER-LASTNAME +RequestHeader unset REMOTE-USER-GECOS +RequestHeader unset REMOTE-USER-GROUPS + +RequestHeader unset REMOTE-USER-GROUP-N +RequestHeader unset REMOTE-USER-GROUP-1 +RequestHeader unset REMOTE-USER-GROUP-2 +RequestHeader unset REMOTE-USER-GROUP-3 + +RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL +RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME +RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME +RequestHeader set REMOTE-USER-GECOS %{REMOTE_USER_GECOS}e env=REMOTE_USER_GECOS +RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + +RequestHeader set REMOTE-USER-GROUP-N %{REMOTE_USER_GROUP_N}e env=REMOTE_USER_GROUP_N +RequestHeader set REMOTE-USER-GROUP-1 %{REMOTE_USER_GROUP_1}e env=REMOTE_USER_GROUP_1 +RequestHeader set REMOTE-USER-GROUP-2 %{REMOTE_USER_GROUP_2}e env=REMOTE_USER_GROUP_2 +RequestHeader set REMOTE-USER-GROUP-3 %{REMOTE_USER_GROUP_3}e env=REMOTE_USER_GROUP_3 </LocationMatch> diff --git a/proxy_frontend.conf b/proxy_frontend.conf new file mode 100644 index 0000000..537c820 --- /dev/null +++ b/proxy_frontend.conf @@ -0,0 +1,13 @@ +ProxyPass /application http://localhost:8888/bapplication + +<LocationMatch ^/application/login> +RequestHeader unset Authorization + +# Put mod_auth_kerb's authentication result (r->user) to env variable +RewriteEngine on +RewriteCond %{REMOTE_USER} (.+) +RewriteRule ^.+$ - [E=REMOTE_USER:%1] + +RequestHeader unset REMOTE-USER +RequestHeader set REMOTE-USER %{REMOTE_USER}e env=REMOTE_USER +</LocationMatch> |