Some authentication apache modules don't set the REMOTE_USER header field during the fixup phase of the API. As a side effect, such headers can't be dispatched to proxified applications as they are set too late. The only solution is to use a tricky module, registered between the authentication process and the mod_proxy handler, which can retrieve the REMOTE_USER field and set it to output headers, just before beeing send by modproxy. As the result, REMOTEUSER can be caught in proxified applications.
Don't use a2enmod unless you known how to deal with the order of loading (see configuration).
Configuration of the module is tricky as it depends on the order on which the modules are loaded.
Extract of httpd.conf :
LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so
LoadModule proxy_add_user_module /usr/lib/apache2/modules/mod_proxy_add_user.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
The module has two settings working on a per directory basis (they can be added to Proxy) :
Here is an example of configuration :
Order deny,allow
Allow from all
ProxyAddUser On # Enable the module
ProxyAddUserKey "OpenID-IDENTITY" # Set header field to OpenID-IDENTITY
AuthOpenIDEnabled On
You can't trust the X-REMOTE_USER header field unless you are sure your web application is only reachable by the proxy. Every http request must pass by the proxy.
This module was written thanks to the following article .