[rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Ruslan Zakirov ruz at bestpractical.com
Tue Sep 3 15:46:39 EDT 2013


Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER
and not to drop it? If a web server would pass remotely provided
REMOTE_USER further to an app without additional configuration then we
wouldn't use it for authentication.


On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <
oliver.weinmann at telespazio-vega.de> wrote:

>  Hi all,****
>
> ** **
>
> we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
> Now we need to get the setup running through our reverse proxy.****
>
> ** **
>
> What we have on our reverse proxy is this:****
>
> ** **
>
> ProxyPass        /rt/             http://hostname.local/rt/ max=100****
>
> ProxyPassReverse /rt/             http://hostname.local/rt/****
>
> ** **
>
>         RedirectMatch ^/$ /rt/****
>
> ** **
>
>         # Proxy all locations****
>
>         <Proxy *>****
>
>                 AddDefaultCharset off****
>
>                 Order deny,allow****
>
>                 Deny from none****
>
>         </Proxy>****
>
> ** **
>
> ** **
>
>         <Location /rt>****
>
>         AuthType Kerberos****
>
>         AuthName "Kerberos Login"****
>
>         KrbAuthRealms KRB5.LOCAL****
>
>         Krb5KeyTab /etc/apache2/host.keytab****
>
>         KrbMethodNegotiate on****
>
>         KrbAuthoritative on****
>
>         KrbMethodK5Passwd off****
>
>         KrbSaveCredentials on****
>
>         require valid-user****
>
> ** **
>
>         # SSO****
>
>         RewriteEngine On****
>
>         RewriteCond %{LA-U:REMOTE_USER} (.+)$****
>
>         RewriteRule . - [E=RU:%1]****
>
>         RequestHeader set REMOTE_USER %{RU}e****
>
> ** **
>
>         </Location>****
>
> ** **
>
> Running tcpdump we can see that REMOTE_USER is set and send to the host
> hosting RT. It looks like RT is not picking it up. As far as I understood
> is that my user gets authenticated at the proxy and RT should trust these
> credentials and log in the user.****
>



-- 
Best regards, Ruslan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130903/7f5d4ade/attachment.html>


More information about the rt-users mailing list