Project

General

Profile

Bug #2902

mod_proxy's “proxy.forwarded” option seems ignored when used with mod_auth.

Added by spydemon 3 months ago. Updated about 2 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_proxy
Target version:
Start date:
2018-08-18
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

I'm trying to use mod_auth for managing authentication on a Lighttpd server (version 1.4.48) before sending the HTTP request to an underlying application and I need that Lighty sends to it the username of the authenticated user. I thus put the following data in my Lighty configuration:

proxy.forwarded = ( "remote_user" => 1 )

Unfortunately, it seems that the option is ignored. Here is a netcat output that dump my HTTP request on the underlying application:

GET / HTTP/1.0
Host: cal.example.fr
Cache-Control: max-age=0
Authorization: Basic c3B5ZGVtb246dGVzdA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
X-Forwarded-For: 192.168.1.11
X-Host: cal.example.fr
X-Forwarded-Host: cal.example.fr
X-Forwarded-Proto: http
Connection: close

For testing purpose, here is a minimalist Lighttpd configuration file that you could use for reproduce the issue:

server.modules = (
    "mod_auth",
    "mod_authn_file",
    "mod_proxy",
)

server.pid-file = "/run/lighttpd.pid" 

server.bind = "0.0.0.0" 
$SERVER["socket"] == "[::]:80" {  }
server.port = 80
server.document-root = "/var/www" 

auth.backend = "htdigest" 
auth.backend.htdigest.userfile = "/data/htdigest" 

auth.require = (
    "/" => (
        "method" => "basic",
        "realm" => "example-web-radicale",
        "require" => "valid-user" 
    )
)
proxy.forwarded = ( "remote_user" => 1)
proxy.server = (
    "/" => (
        "application" => ("host" => "10.0.3.11", "port" => 5253)
    )
)

Thanks for your investigation.


Related issues

Related to Feature #2903: gw backend redesignFixed2018-08-18

Actions

Associated revisions

Revision eebc1b0e (diff)
Added by gstrauss about 2 months ago

[mod_proxy] fix proxy.forwarded and proxy.replace-http-host (fixes #2902)

config settings were not being copied into proxy request context

x-ref:
"mod_proxy's “proxy.forwarded” option seems ignored when used with mod_auth."
https://redmine.lighttpd.net/issues/2902

History

#2

Updated by stbuehler 3 months ago

#3

Updated by gstrauss 3 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.51

Patch for 1.4.50. I overlooked copying the settings for these two features into the per-request structure.

diff --git a/src/mod_proxy.c b/src/mod_proxy.c
index 5db48808..878f9e37 100644
--- a/src/mod_proxy.c
+++ b/src/mod_proxy.c
@@ -998,6 +998,8 @@ static handler_t mod_proxy_check_extension(server *srv, connection *con, void *p
                hctx->gw.opts.pdata = hctx;
                hctx->gw.opts.headers = proxy_response_headers;

+               hctx->conf.replace_http_host = p->conf.replace_http_host;
+               hctx->conf.forwarded       = p->conf.forwarded;
                hctx->remap_hdrs           = p->conf.header; /*(copies struct)*/
                hctx->remap_hdrs.http_host = con->request.http_host;
                hctx->remap_hdrs.upgrade  &= (con->request.http_version == HTTP_VERSION_1_1);
#4

Updated by gstrauss about 2 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom