DEVHIDE
Login Or Sign up

Apache, mod_auth_kerb, mod_proxy: Get authenticated user in Go Web Application

9.5k Views Asked by At

I'm using Apache as reverse proxy for things like authentication in front of the go http server.

The following apache kerberos setup works with one problem. I don't know how to get the authenticated username in my go application.

httpd.conf:

<VirtualHost host.domain.com:80>
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/

  <Location />
    ## gzip
    ##
    AddOutputFilterByType DEFLATE text/html

    Order                      deny,allow
    Allow                      from all

    AuthType                   Kerberos
    AuthName                   "User Admin"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping on
    KrbSaveCredentials         on
    require valid-user
  </Location>
</VirtualHost>

With

 AuthType                    basic

I get the username from the request's Authorization header with the go function 

func (*Request) BasicAuth

but with Authorization header negotiate this is not possible. Furthermore I'm not able to use the REMOTE_USER environment variable because there is no cgi environment. I also tried to set the RequestHeader but without any success.

Is there any possibility to get the authorized username from the go application?

apache go mod-proxy mod-auth-kerb
Original Q&A
4

There are 4 best solutions below

0
On BEST ANSWER

Sorry for the delay - I was involved in other projects. Many thanks for the suggestions. The following solution now works for me after switching to the environment CentOS 7/httpd 2.4:

<VirtualHost host.domain.com:80>

  <Location />
    ## gzip                                                                                          
    ##                                                                                               
    AddOutputFilterByType DEFLATE text/html

    AuthType                   Kerberos
    AuthName                   "Web Application"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping        on
    KrbSaveCredentials         on
    require valid-user

    RequestHeader unset X-Forwarded-User
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%1]
    RequestHeader add X-Forwarded-User %{RU}e
  </Location>

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8000/
  ProxyPassReverse / http://127.0.0.1:8000/

  ServerName host.domain.com
 </VirtualHost>

The user can be accessed in Go with:

user := req.Header.Get("X-Forwarded-User")
0
On

do NOT use the rewrite workaround, because you will get into trouble with execution phases if the REMOTE_USER is set with a module like mod_authn_ntlm (ntlm with local computer, see https://support.microsoft.com/en-us/kb/896861).

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User %{RU}e

instead use the following method:

RequestHeader set X-Remote-User expr=%{REMOTE_USER}
0
On

Try the following config, you should then see your username in the header X-Forwarded-User. Make sure the headers module is loaded e.g. a2enmod headers:

<VirtualHost host.domain.com:80>

  <Location />
    ## gzip
    ##
    AddOutputFilterByType DEFLATE text/html

    AuthType                   Kerberos
    AuthName                   "User Admin"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping        on
    KrbSaveCredentials         on
    require valid-user
    RequestHeader              set X-Forwarded-User %{REMOTE_USER}s    
  </Location>

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/

</VirtualHost>
1
On

You should be able to set a header via SetEnvIf - http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif - as below:

SetEnvIf Authorization "(.*)" HTTP_APP_USER=$1

You can then access it in Go via r.Header.Get("HTTP_APP_USER").

Beware that there's no guarantee the client hasn't also set a header with the same: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies.

Related Questions in APACHE

Related Questions in GO

Related Questions in MOD-PROXY

Related Questions in MOD-AUTH-KERB

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.