Actions: | Security

Navigation: Home | Services | Tools | Articles | Other

Passing REMOTE_USER from Apache as a reverse proxy to web application servers

I have a web application written in one of the plethora of modern web application microframeworks (in this case, Flask, because that's meeting my needs and wants at the moment, but it doesn't really matter for the purposes of this article).

I want to be able to require that authentication is managed by the reverse proxy that sits in front of my appserver, because pubcookie is what is available in this enterprise environment, and that the value of REMOTE_USER is handed to my application server.

Pubcookie, in common with other authenticators, sets the server variable REMOTE_USER.

I believe that the best way to deal with this is to set another header, such as X-Proxy-REMOTE-USER and have the application check in the headers, which should be within the existing capabilities of any web application framework.

RewriteRule .* - [E=X-Proxy-REMOTE-USER:%{REMOTE_USER}]
RequestHeader set X-Proxy-REMOTE-USER %{REMOTE_USER}

This approach should work for shibboleth as well, since it sets REMOTE_USER as well.

The (flask) application itself can then check against request.headers to do authorisation checks.