Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:header_remote_user_conversion [2019/01/15 15:54] (current)
Line 1: Line 1:
 +====== Convert HTTP header into environment variable ======
  
 +===== Apache =====
 +
 +Using LL::NG in reverse proxy mode, you will not have the ''​REMOTE_USER''​ environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
 +
 +Apache [[http://​httpd.apache.org/​docs/​current/​mod/​mod_setenvif.html|SetEnvIf module]] will let you transform the Auth-User HTTP header in ''​REMOTE_USER''​ environment variable:
 +
 +<file apache>
 +SetEnvIfNoCase Auth-User "​(.*)"​ REMOTE_USER=$1
 +</​file>​
 +
 +This can be used to protect applications relying on ''​REMOTE_USER''​ environment variable in reverse proxy mode. In this case you will have two Apache configuration files:
 +
 +  * Apache configuration file on LL::NG reverse proxy (hosting LL::NG Handler):
 +
 +<file apache>
 +<​VirtualHost *:80>
 +        ServerName application.example.com
 +
 +        PerlHeaderParserHandler Lemonldap::​NG::​Handler::​ApacheMP2
 +
 +        ProxyPreserveHost on
 +        ProxyPass / http://​APPLICATION_IP/​
 +        ProxyPassReverse / http://​APPLICATION_IP/​
 +
 +</​VirtualHost>​
 +</​file>​
 +
 +  * Apache configuration file on application server (hosting the application):​
 +
 +<file apache>
 +<​VirtualHost *:80>
 +        ServerName application.example.com
 +        ​
 +        SetEnvIfNoCase Auth-User "​(.*)"​ REMOTE_USER=$1
 +
 +        DocumentRoot /​var/​www/​application
 +
 +</​VirtualHost>​
 +</​file>​
 +
 +<note tip>
 +Sometimes, PHP applications also check the PHP_AUTH_USER and PHP_AUHT_PW environment variables. You can set them the same way:
 +<file apache>
 +SetEnvIfNoCase Auth-User "​(.*)"​ PHP_AUTH_USER=$1
 +SetEnvIfNoCase Auth-Password "​(.*)"​ PHP_AUTH_PW=$1
 +</​file>​
 +Of course, you need to [[passwordstore|store password in session]] to fill PHP_AUTH_PW.
 +</​note>​
 +
 +===== Nginx =====
 +
 +Nginx doesn'​t launch directly PHP pages (or other languages): it dials with FastCGI servers (like php-fpm). As you can see in examples, it's easy to map a LLNG header to a fastcgi param. Example:
 +<file nginx>
 +auth_request_set $authuser $upstream_http_auth_user;​
 +fastcgi_param HTTP_MYVAR $authuser;
 +</​file>​