开发者

HTTP server behind IIS: pass authentication headers

问答 作者:

I have an IIS instance configured w开发者_如何学运维ith Windows Authentication and URL Rewrite, so it basically works as a reverse proxy. My backend server (run on Linux) expects a REMOTE_USER header. Is it possible to configure IIS to pass information about the authenticated user to the backend server?

If IIS is configured for Windows Auth, then ARR will challenge and only forward requests once the user is authenticated.

It is possible to forward custom headers with the request using a HTTP naming convention and serverVariables element in the rewrite rules. For instance, in the following example the server variable LOCAL_ADDR is forwarded as a header named X-MY-HEADER.

<rule name="Reverse Proxy to MySite" stopProcessing="true">
   <match url="^MySite/(.*)" />
   <serverVariables>
      <set name="HTTP_X_MY_HEADER" value="{LOCAL_ADDR}" />
    </serverVariables>
    <action type="Rewrite" url="http://www.myothersite.com/{R:1}" />
</rule>

Unfortunately it's not possible to use this technique to forward a REMOTE_USER header. This is because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).

You can however set IIS to use Basic Windows Auth, and then extract the username from the Base64 encoded Authorization header on your Linux server.

I've had a similar problem and I thought I would mention how I managed to work around it. I have installed Helicon ISAPI-Rewrite 3 Lite, which is an ISAPI request filter. Since it runs after the authentication stage in the pipeline, it has access to the REMOTE_USER variable and can rewrite the request such that a new HTTP header is added to it with REMOTE_USER as its value. Of course this helps only if you have some control over the backend server so you can make use of the value of this custom header instead of the original REMOTE_USER variable.

The required snippet in ISAPI-Rewrite's global configuration file (httpd.conf) is as follows:

RewriteBase /
RewriteCond %{REQUEST_URI} ^/MySite.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}

The RewriteCond part limits this rule to URIs starting with /MySite; feel free to adjust it as needed.

继续阅读:authenticationbasic-authenticationhttp-headersreverse-proxy

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9