I'm having an issue with my Apache2 reverse proxy config.
I have an app running on HTTPS that can be access directly by https://my-application:443
and indirectly through the reverse proxy on https://proxy:443/custom-app
.
I'm trying to only allow admin users access to the management parts of my system (e.g. https://my-application:443/management/settings
).
However when I try to set an env variable (USER_GROUP
) that's initially set to 'users' but changes to 'admins' if it meets certain conditions, it doesn't re-set the var.
Can anyone please point out what I'm doing wrong?
<Location "/custom-app">
SetEnv USER_GROUP users
RewriteCond %{REQUEST_URI} ^/custom-app/management
RewriteRule ^(.*) $1 [E=USER_GROUP:admins]
<RequireAll>
Require claim user.groups:/%{ENV:USER_GROUP}
Require valid-user
</RequireAll>
ProxyPass https://my-application:443
ProxyPassReverse https://my-application:443
</Location>
SetEnv USER_GROUP users RewriteCond %{REQUEST_URI} ^/custom-app/management RewriteRule ^(.*) $1 [E=USER_GROUP:admins]
mod_rewrite is processed before SetEnv
(mod_setenv), despite the apparent order of directives in the config file. So this is effectively initialising the env var to admins
, which is then being overwritten by SetEnv
to users
.
You would need to either use SetEnvIf
(mod_setenvif - which is processed much earlier) or even mod_rewrite to initialise the env var. Although there is no need to use mod_rewrite here - this can all be achieved using SetEnvIf
only - which would be preferable. (It is not recommended to use mod_rewrite inside <Location>
blocks anyway.)
For example:
SetEnvIf ^ ^ USER_GROUP=users
SetEnvIf Request_URI "^/custom-app/management" USER_GROUP=admins
Reference: