end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転しました

(再)リバースプロキシで認証したREMOTE_USERを受け側のapacheに渡す

https://qiita.com/end0tknr/items/c411cd91caaf43147ac4

↑こちらのurlを再編集。

前回は、リバースプロキシ側で認証した REMOTE_USER 情報を、 バックエンドのサーバに HTTP_X_FORWARDED_USER 情報とて渡しました。 今回は、バックエンドのサーバにも REMOTE_USER 情報として渡します。

構成

上段=前回、下段=今回で、【】の部分が変更箇所

┌Apache(REVERSE PROXY) ──┐  ┌Apache(APP SERVER)──────┐
│AuthType BASIC            ├→│AuthType NONE                 │
│【env param:REMOTE_USER】 │  │【env param:X-Forwarded-User】│
└─────────────┘  └───────────────┘
┌Apache(REVERSE PROXY) ──┐  ┌Apache(APP SERVER)──────┐
│AuthType BASIC            ├→│AuthType NONE                 │
│【env param:REMOTE_USER】 │  │【env param:REMOTE_USER】     │
└─────────────┘  └───────────────┘

apache httpd.confの編集(抜粋)

# この辺りのmoduleは必要
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so

# frontのreverse proxyにおけるbasic認証
<LocationMatch "/reverse_from/">
 AuthType Basic
 AuthName "Member Only"
 AuthUserFile /home/end0tknr/dev/htpasswd
 require valid-user
 ErrorDocument 401 /error/authen-error.html
</LocationMatch>

# frontのreverse proxy設定

# reverse proxyなので、off (通常のproxyならon)
ProxyRequests Off
<Location "/reverse_from/">
 ProxyPass         http://192.168.244.101:8080/reverse_to/
 ProxyPassReverse  http://192.168.244.101:8080/reverse_to/

 # remote user情報と X-Forwarded-User として、http headerに追加
 RewriteEngine On
 RewriteCond %{LA-U:REMOTE_USER} (.+)
 RewriteRule . - [E=RU:%1,NS]
 RequestHeader add X-Forwarded-User %{RU}e
</Location>


# backendのapp server設定
<Directory "/home/end0tknr/dev/reverse_to">
  Order allow,deny
  Allow from all

  # http headerのX-Forwarded-Userを環境変数=remote userに戻す
  RewriteEngine On
  RewriteCond %{REMOTE_USER} $^
  RewriteCond %{HTTP:X-Forwarded-User} (.+) [NC]
  RewriteRule . - [E=REMOTE_USER:%1,NS]

  # 変換結果をperl cgiで確認する為、CGI有効化
  <Files "*.pl">
    Options ExecCGI
    # この部分に「+」付きで、+FollowSymLinks を指定する必要があるみたい...
    Options +FollowSymLinks
    AddHandler cgi-script .pl
  </Files>
 </Directory>
Alias /reverse_to     /home/end0tknr/dev/reverse_to

apache の起動と確認

$ cd /home/end0tknr/local/apache24
$ ./bin/apachectl -f conf/httpd_reverse_proxy.conf 

と起動し、「ないしょIP:8080/reverse_from/index.pl 」へアクセスすると、 次のように表示されます。

CONTEXT_DOCUMENT_ROOT = /home/end0tknr/dev/reverse_to
CONTEXT_PREFIX = /reverse_to
DOCUMENT_ROOT = /home/end0tknr/local/apache24/htdocs
GATEWAY_INTERFACE = CGI/1.1
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_ACCEPT_LANGUAGE = ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7
HTTP_CACHE_CONTROL = max-age=0
HTTP_CONNECTION = Keep-Alive
HTTP_COOKIE = _ga=GA1.1.994183502.1540097814; __utmz=224856154.1540122275.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=224856154.994183502.1540097814.1540329245.1540330341.5
HTTP_HOST = 192.168.244.101:8080
HTTP_UPGRADE_INSECURE_REQUESTS = 1
HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
HTTP_X_FORWARDED_FOR = 192.168.244.1
HTTP_X_FORWARDED_HOST = 192.168.244.101:8080
HTTP_X_FORWARDED_SERVER = cent7.a5.jp
HTTP_X_FORWARDED_USER = endou021  ★★★
LD_LIBRARY_PATH = /home/end0tknr/local/apache24/lib
PATH = /usr/local/go/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/end0tknr/.local/bin:/home/end0tknr/bin
QUERY_STRING = 
REMOTE_ADDR = 192.168.244.101
REMOTE_PORT = 44614
REMOTE_USER = endou021  ★★★
REQUEST_METHOD = GET
REQUEST_SCHEME = http
REQUEST_URI = /reverse_to/index.pl
SCRIPT_FILENAME = /home/end0tknr/dev/reverse_to/index.pl
SCRIPT_NAME = /reverse_to/index.pl
SERVER_ADDR = 192.168.244.101
SERVER_ADMIN = you@example.com
SERVER_NAME = 192.168.244.101
SERVER_PORT = 8080
SERVER_PROTOCOL = HTTP/1.1
SERVER_SIGNATURE = 
SERVER_SOFTWARE = Apache/2.4.34 (Unix) PHP/7.2.6

print_env.plの内容は、以下。

#!/usr/local/bin/perl
use strict;
use warnings;
use CGI;
use Encode;
use Data::Dumper;

main();

sub main {
    my $q = CGI->new();
    print STDERR Dumper($q);

    print CGI::header(-type=>'text/plain',-charset=>'UTF-8');

    for my $env_key (sort keys %ENV){
        print "$env_key = $ENV{$env_key}\n";
    }
}

その他 - access_logの出力項目に X-Forwarded-For と X-Forwarded-User を追加

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T  %{X-Forwarded-For}i %{X-Forwarded-User}i" combined

httpd.conf のLogFormatを↑このように編集すれば、↓こう出力されます。

192.168.244.101 - - [23/Dec/2018:09:14:25 +0900] "GET /reverse_to/index.pl HTTP/1.1" 200 1620 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" 0  192.168.244.1 endou021
192.168.244.1 - endou021 [23/Dec/2018:09:14:25 +0900] "GET /reverse_from/index.pl HTTP/1.1" 200 1620 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" 0  - endou021

%{X-Forwarded-User}i は、%{REMOTE_USER}i と記載したかったのですが、その場合、上手く出力されませんでした。