documentation:1.9:header_remote_user

Using LL::NG in reverse proxy mode, you will not have the REMOTE_USER environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.

Apache SetEnvIf module will let you transform the Auth-User HTTP header in REMOTE_USER environment variable:

SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1

This can be used to protect applications relying on REMOTE_USER environment variable in reverse proxy mode. In this case you will have two Apache configuration files:

Apache configuration file on LL::NG reverse proxy (hosting LL::NG Handler):

<VirtualHost *:80>
        ServerName application.example.com
 
        PerlHeaderParserHandler Lemonldap::NG::Handler
 
        ProxyPreserveHost on
        ProxyPass / http://APPLICATION_IP/
        ProxyPassReverse / http://APPLICATION_IP/
 
</VirtualHost>

Apache configuration file on application server (hosting the application):

<VirtualHost *:80>
        ServerName application.example.com
 
        SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
 
        DocumentRoot /var/www/application
 
</VirtualHost>

Sometimes, PHP applications also check the PHP_AUTH_USER and PHP_AUHT_PW environment variables. You can set them the same way:

SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1
SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1

Of course, you need to store password in session to fill PHP_AUTH_PW.

Convert HTTP header into environment variable