httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Date Mon, 05 Nov 2012 15:42:35 GMT
On November 5, 2012 10:24 , Martin Drescher <> wrote:
> On 05/11/12 14:35, Mark Montague wrote:
>> On November 5, 2012 6:32 , Martin Drescher <>
>> wrote:
>>> > I would like to set the REMOTE_USER environment to the value of
> Close, but no cigar:
> In fact, I do not use SSL at this distinct host

Then you might want to include that in your original question in order 
to get a better answer.  Your original RewriteCond statement was 
checking the value of an SSL environment variable.  But if you are not 
using SSL on the virtual host in question, then this environment 
variable will not be set and the RewriteCond will always evaluate to 

> But I run a reverse
> proxy using ProxyPass which terminates the SSL at it's world device
> and then forwards a Nagios host in that case. Nagios is happy with the
> REMOTE_USER environment set for access control. I checked this setting
> REMOTE_USER using the SetEnv syntax. Unfortunately this does not take
> a variable as argument.
> So I set a HTTP request header (SSL_CLIENT_S_DN_CN) in the reverse
> proxy and try to copy that to REMOTE_USER. To avoid any conflicts with
> the mod_ssl I also tried to set a X-Forwarded-SSL_CLIENT_S_DN_CN and
> used that with SSLUserName: REMOTE_USER is not set.

Having the front-end server set an HTTP request header for the back-end 
server is the correct solution.  You would then normally configure your 
web application to retrieve the user's identity from this new header 
rather than from the REMOTE_USER environment variable.  I don't know, 
but I suspect that you may run into difficulties trying to set 
REMOTE_USER yourself via Apache HTTP Server directives since the 
REMOTE_USER environment variable gets set automatically based on the 
r->user field of the request structure (maybe someone else who knows 
more can confirm or refute whether this overwriting happens).

If you cannot configure your web application to retrieve the user's 
identity from the value of the header you set, and if this is important 
enough to deal with a third party module and you're willing to do 
special work to get this operating right and support it in the long term 
on your servers (troubleshoot issues, port the module code to Apache 
HTTP Server 2.4 when needed, and so on), then take a look at

   Mark Montague

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message