Search code examples
apachegomod-proxymod-auth-kerb

Apache, mod_auth_kerb, mod_proxy: Get authenticated user in Go Web Application

I'm using Apache as reverse proxy for things like authentication in front of the go http server.

The following apache kerberos setup works with one problem. I don't know how to get the authenticated username in my go application.

httpd.conf:

<VirtualHost host.domain.com:80>
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/

  <Location />
    ## gzip
    ##
    AddOutputFilterByType DEFLATE text/html

    Order                      deny,allow
    Allow                      from all

    AuthType                   Kerberos
    AuthName                   "User Admin"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping on
    KrbSaveCredentials         on
    require valid-user
  </Location>
</VirtualHost>

With

 AuthType                    basic

I get the username from the request's Authorization header with the go function 

func (*Request) BasicAuth

but with Authorization header negotiate this is not possible. Furthermore I'm not able to use the REMOTE_USER environment variable because there is no cgi environment. I also tried to set the RequestHeader but without any success.

Is there any possibility to get the authorized username from the go application?

Solution

  • Sorry for the delay - I was involved in other projects. Many thanks for the suggestions. The following solution now works for me after switching to the environment CentOS 7/httpd 2.4:

    <VirtualHost host.domain.com:80>

  <Location />
    ## gzip                                                                                          
    ##                                                                                               
    AddOutputFilterByType DEFLATE text/html

    AuthType                   Kerberos
    AuthName                   "Web Application"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping        on
    KrbSaveCredentials         on
    require valid-user

    RequestHeader unset X-Forwarded-User
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%1]
    RequestHeader add X-Forwarded-User %{RU}e
  </Location>

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8000/
  ProxyPassReverse / http://127.0.0.1:8000/

  ServerName host.domain.com
 </VirtualHost>

    The user can be accessed in Go with:

    user := req.Header.Get("X-Forwarded-User")