Yet another Apache Reverse Proxy and mod_rewrite challenge

Question

I have a web UI behind a firewall that employs "simple" authentication (Hadoop JobTracker UI). This means the URL includes the name of the user as a parameter, and the web server trusts the browser is who it says it is. It listens on a non-standard port (50030) and doesn't have any "application" identifier (so the URI portion is effectively random). Hence, my target URL might be something like: https://actual_web_server:50030/jobqueue_details.jsp?queueName=default&User.Name=foo

To complicate things:

• I want to employ Apache as a reverse proxy, to reduce the number of holes in my firewall.
• I want Apache to authenticate the user (ie against LDAP).
• I want to provide a nice URL to our end users to differentiate between the several different Hadoop clusters I have.
• I have to employ encryption.

Hence, I am hoping to have the above URL presented on the browser as: https://JobTracker.Cluster1.MySite.com/jobqueue_details.jsp?queueName=default

I am hoping that I can configure Apache to:

1) Authenticate incoming connections against LDAP using mod_authnz_ldap ( as per here .) This looks relatively straight forward with lots of examples, think I can handle this bit!

2) Use a DNS entry (JobTracker.Cluster1.MySite.com) and a virtual host entry on Apache to enable the prettier URL. Again, not the real challenge, but complicates the configuration.

3) Employ mod_rewrite to:

3a) Remove the "User.Name=foo" parameter if the user has supplied it, as we can't trust the value they supply.

3b) Add in the Parameter "User.Name={Authenticated LDAP Username}" to the URL.

3c) Replace the pretty hostname and port (JobTracker.Cluster1.MySite.com) with the target hostname and port (actual_web_server:50030)

3d) Proxy the request to the target web server using this new URL

3e) The URL shown in the browser (and for any links on the page) are also modified to use the correct "pretty" hostname.

3f) Ideally, the URL shown in the browser has the "User.Name=foo" parameter NOT shown. It's not a big drama if it is shown, but I'd rather not.

Note I cannot simply redirect as I can't have direct connectivity from the browser to "actual_web_server". Also, this one Apache installation will serve multiple web UIs configured identically to this one (custom DNS entry for each).

Hoping someone has "been there, done that" enough to know how, or even if, this is possible.....

Answer 1

In my httpd.conf I have a location block with the following. Note that I am using a mate's apache server, hence I have a Location and not a virtual server. I've gone for two distinct blocks rather than one very complicated one, simply because clarity and working and elegent beats fewer overly complex unreadable lines of code (IMHO).

<Location /ldap>
    Order Allow,Deny
    Allow from all
    Options FollowSymLinks

    #
    #       Authenticate the user
    #

    AuthName "LDAP"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://my_active_directory_box:389/ou=Human,ou=Users,dc=my_company?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN cn=my_service_account,ou=Non-Human,ou=Admin,dc=my_company
    AuthLDAPBindPassword very_secure_password
    AuthUserFile /dev/null
    Require valid-user

    #
    #       ENSURE user.name is set by us, using mod_rewrite
    #
    RewriteEngine on
    RewriteBase /ldap

    # PREVENT USER SUPPLYING THE USER NAME PARAMETER
    RewriteCond %{QUERY_STRING} ^(.*)user.name=.*$ [nocase]
    RewriteRule ^(.*)$ - [F]

    # If the URL has a Query String, then append our login with &
    RewriteCond %{QUERY_STRING} ^.+$ [nocase]
    RewriteRule ^(.*)$ $1%1&user.name=%{REMOTE_USER}

    # If the URL does NOT have a Query String, then append our login with a ?
    RewriteCond %{QUERY_STRING} ^$ [nocase]
    RewriteRule ^(.*)$ $1?user.name=%{REMOTE_USER}

    #
    #       Now Proxy the request through
    #

    ProxyPass http://s011qpol2342.s2.chp.cba:8080/docs
    ProxyPassReverse http://s011qpol2342.s2.chp.cba:8080/docs
</Location>

Do I get a prize for answering my own question?