Category Archives: proxy

Building mod_proxy_wstunnel for CentOS 6

I had a need to be able to put an Apache-based reverse proxy in front of an install of Uchiwa which is a Node.js-based dashboard for Sensu. The only problem is that it uses WebSockets which means it doesn’t work with the regular mod_proxy_http module. In version 2.4.5 onwards there is mod_proxy_wstunnel which fills in the gap however CentOS 6 only has a 2.2.15 (albeit heavily patched) package.

There are various instructions on how to backport the module for 2.2.x (mostly for Ubuntu) but these involve compiling the whole of Apache from source again with the module added via an additional patch. I don’t want to maintain my own Apache packages but more importantly Apache has provided apxs a.k.a the APache eXtenSion tool to compile external modules without requiring the whole source tree available.

So, I have created a standalone RPM package for CentOS 6 that just installs the mod_proxy_wstunnel module alongside the standard httpd RPM package. In order to do this I took the original patch and removed the alterations to the various build files and also flattened the source into a single file, (the code changes were basically adding whole new functions so they were fine to just inline together). The revised source file and accompanying RPM spec file are available in this Github gist.

Apache reverse-proxying and the REMOTE_USER variable

I spent an alarming amount of time yesterday attempting to make the most of Apache's ridiculously easy mod_auth_kerb module for SSO Kerberos authentication with a little in-house Sinatra app I've been working on. Apparently Kerberos within nginx or ruby is a bit of an unofficial ballache, so I decided to take the easy route out. However, it transpires that only one person on the whole internet knew of the existence of the ProxyPassInterpolateEnv boolean.

To put this in context, for my app I only want kerberos to validate the user and then pass on the username to the app. It's a git deploy frontend, and I like blaming people.

You'll find a lot of stuff about doing a complicated rewrite so that REMOTE_USER actually evaluates before a reverse proxy. I couldn't get any of this stuff to work - not only that but it's a horrible solution anyway requiring about three lines of rewrite - and I'll be honest, I'm not up together on my apache rewrites anyway.

So the following is the solution I ended up with. It simply makes Apache forward on the REMOTE_USER variable, created by your auth module, to whatever you're reverse proxying - in my case a Sinatra app. It actually appears as REMOTE_USER as opposed to the specified REMOTE-USER as well. I neither know why nor care.

Excuse the formatting.

<Virtualhost *:443>
SSLEngine on
SSLCipherSuite ...
              HA HA SSL BUSINESS
        ...
ServerName yer-mum.com
ProxyPassInterpolateEnv On
ProxyPass / http://localhost:4567/
RequestHeader set REMOTE-USER %{REMOTE_USER}s
    <Location />
        AuthType Kerberos
        AuthName "AD Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms MUMS.COM
        Krb5KeyTab /etc/krb5.keytab
        Require valid-user
    </Location>
</Virtualhost *:443>

Apache reverse-proxying and the REMOTE_USER variable

I spent an alarming amount of time yesterday attempting to make the most of Apache's ridiculously easy mod_auth_kerb module for SSO Kerberos authentication with a little in-house Sinatra app I've been working on. Apparently Kerberos within nginx or ruby is a bit of an unofficial ballache, so I decided to take the easy route out. However, it transpires that only one person on the whole internet knew of the existence of the ProxyPassInterpolateEnv boolean.

To put this in context, for my app I only want kerberos to validate the user and then pass on the username to the app. It's a git deploy frontend, and I like blaming people.

You'll find a lot of stuff about doing a complicated rewrite so that REMOTE_USER actually evaluates before a reverse proxy. I couldn't get any of this stuff to work - not only that but it's a horrible solution anyway requiring about three lines of rewrite - and I'll be honest, I'm not up together on my apache rewrites anyway.

So the following is the solution I ended up with. It simply makes Apache forward on the REMOTE_USER variable, created by your auth module, to whatever you're reverse proxying - in my case a Sinatra app. It actually appears as REMOTE_USER as opposed to the specified REMOTE-USER as well. I neither know why nor care.

Excuse the formatting.

<Virtualhost *:443>
SSLEngine on
SSLCipherSuite ...
              HA HA SSL BUSINESS
        ...
ServerName yer-mum.com
ProxyPassInterpolateEnv On
ProxyPass / http://localhost:4567/
RequestHeader set REMOTE-USER %{REMOTE_USER}s
    <Location />
        AuthType Kerberos
        AuthName "AD Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms MUMS.COM
        Krb5KeyTab /etc/krb5.keytab
        Require valid-user
    </Location>
</Virtualhost *:443>