Apache reverse-proxying and the REMOTE_USER variable

I spent an alarming amount of time yesterday attempting to make the most of Apache's ridiculously easy mod_auth_kerb module for SSO Kerberos authentication with a little in-house Sinatra app I've been working on. Apparently Kerberos within nginx or ruby is a bit of an unofficial ballache, so I decided to take the easy route out. However, it transpires that only one person on the whole internet knew of the existence of the ProxyPassInterpolateEnv boolean.

To put this in context, for my app I only want kerberos to validate the user and then pass on the username to the app. It's a git deploy frontend, and I like blaming people.

You'll find a lot of stuff about doing a complicated rewrite so that REMOTE_USER actually evaluates before a reverse proxy. I couldn't get any of this stuff to work - not only that but it's a horrible solution anyway requiring about three lines of rewrite - and I'll be honest, I'm not up together on my apache rewrites anyway.

So the following is the solution I ended up with. It simply makes Apache forward on the REMOTE_USER variable, created by your auth module, to whatever you're reverse proxying - in my case a Sinatra app. It actually appears as REMOTE_USER as opposed to the specified REMOTE-USER as well. I neither know why nor care.

Excuse the formatting.

<Virtualhost *:443>
SSLEngine on
SSLCipherSuite ...
              HA HA SSL BUSINESS
        ...
ServerName yer-mum.com
ProxyPassInterpolateEnv On
ProxyPass / http://localhost:4567/
RequestHeader set REMOTE-USER %{REMOTE_USER}s
    <Location />
        AuthType Kerberos
        AuthName "AD Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms MUMS.COM
        Krb5KeyTab /etc/krb5.keytab
        Require valid-user
    </Location>
</Virtualhost *:443>

Apache reverse-proxying and the REMOTE_USER variable

I spent an alarming amount of time yesterday attempting to make the most of Apache's ridiculously easy mod_auth_kerb module for SSO Kerberos authentication with a little in-house Sinatra app I've been working on. Apparently Kerberos within nginx or ruby is a bit of an unofficial ballache, so I decided to take the easy route out. However, it transpires that only one person on the whole internet knew of the existence of the ProxyPassInterpolateEnv boolean.

To put this in context, for my app I only want kerberos to validate the user and then pass on the username to the app. It's a git deploy frontend, and I like blaming people.

You'll find a lot of stuff about doing a complicated rewrite so that REMOTE_USER actually evaluates before a reverse proxy. I couldn't get any of this stuff to work - not only that but it's a horrible solution anyway requiring about three lines of rewrite - and I'll be honest, I'm not up together on my apache rewrites anyway.

So the following is the solution I ended up with. It simply makes Apache forward on the REMOTE_USER variable, created by your auth module, to whatever you're reverse proxying - in my case a Sinatra app. It actually appears as REMOTE_USER as opposed to the specified REMOTE-USER as well. I neither know why nor care.

Excuse the formatting.

<Virtualhost *:443>
SSLEngine on
SSLCipherSuite ...
              HA HA SSL BUSINESS
        ...
ServerName yer-mum.com
ProxyPassInterpolateEnv On
ProxyPass / http://localhost:4567/
RequestHeader set REMOTE-USER %{REMOTE_USER}s
    <Location />
        AuthType Kerberos
        AuthName "AD Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms MUMS.COM
        Krb5KeyTab /etc/krb5.keytab
        Require valid-user
    </Location>
</Virtualhost *:443>

My Oracle Support: Authenticate with CLI

I was wondering since some times how I could authenticate on MOS using CLI. Now I got my answer: By reversing the whole SSO auth process in a python script that generate a cookies.txt file, usable with wget.

I know that a simpler method exists using directly wget, but as it doesn't work with every MOS page, I'll prefer a more generic way of doing things.

Here is a quick how to use:

  1. Edit MOSLogin.py and setup variables inside.
  1. Install python dependencies (linux/debian):
apt-get install python-pip
pip install BeautifulSoup
pip install requests
  1. Run the script
$ ./login.py 
[-] Initialization...done
[-] Gathering JSESSIONID..done
[-] Trying loginSuccess.jsp...done
[-] Signing in...done
[-] Trying to submit credentials...done
[-] Checking that credentials are valid...done
[-] Logged-in.
  1. Use the cookies.txt with wget
wget --load-cookies=/tmp/cookies.txt --save-cookies=/tmp/cookies.txt --no-check-certificate http://MOSURL

With a little bit of time and fun, you can imagine every tool based on this to ease your sysadmin life. You can even fetch your SR summary/updates using this cookie...

Get the MOSLogin.py file...