Apache, mod_auth_kerb, mod_proxy: Get authenticated user in Go Web Application

apache go mod-proxy mod-auth-kerb
Ulrich Anhalt picture Ulrich Anhalt · May 10, 2015 · Viewed 8.8k times · Source

I'm using Apache as reverse proxy for things like authentication in front of the go http server.

The following apache kerberos setup works with one problem. I don't know how to get the authenticated username in my go application.

httpd.conf:

<VirtualHost host.domain.com:80>
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/

  <Location />
    ## gzip
    ##
    AddOutputFilterByType DEFLATE text/html

    Order                      deny,allow
    Allow                      from all

    AuthType                   Kerberos
    AuthName                   "User Admin"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping on
    KrbSaveCredentials         on
    require valid-user
  </Location>
</VirtualHost>

With

 AuthType                    basic

I get the username from the request's Authorization header with the go function 

func (*Request) BasicAuth

but with Authorization header negotiate this is not possible. Furthermore I'm not able to use the REMOTE_USER environment variable because there is no cgi environment. I also tried to set the RequestHeader but without any success.

Is there any possibility to get the authorized username from the go application?

Answer

Ulrich Anhalt picture Ulrich Anhalt · Nov 26, 2015

Sorry for the delay - I was involved in other projects. Many thanks for the suggestions. The following solution now works for me after switching to the environment CentOS 7/httpd 2.4:

<VirtualHost host.domain.com:80>

  <Location />
    ## gzip                                                                                          
    ##                                                                                               
    AddOutputFilterByType DEFLATE text/html

    AuthType                   Kerberos
    AuthName                   "Web Application"
    KrbAuthRealms              DOMAIN.COM
    Krb5Keytab                 /etc/host.krb5keytab
    KrbMethodNegotiate         on
    KrbAuthoritative           on
    KrbMethodK5Passwd          off
    KrbLocalUserMapping        on
    KrbSaveCredentials         on
    require valid-user

    RequestHeader unset X-Forwarded-User
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%1]
    RequestHeader add X-Forwarded-User %{RU}e
  </Location>

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8000/
  ProxyPassReverse / http://127.0.0.1:8000/

  ServerName host.domain.com
 </VirtualHost>

The user can be accessed in Go with:

user := req.Header.Get("X-Forwarded-User")

Related questions

Using go-websocket behind Apache mod_proxy_wstunnel

Note: Updated config and added trailing slash to websocket path. Still same problem Is it possible to use go-websocket behind a Apache reverse proxy with mod_proxy_wstunnel? I tried and failed to get things working. I tried to use …

Read More
Deploying Go web applications with Apache

I can not find a mod_go for deploying Go web applications. Is there any other way to run web applications in Go with an Apache web server (or even IIS)? Update: Now after doing Go full time for nearly …

Read More
Go, sudo, and apache port 80

I am using gorilla/mux package in golang, but there are some problems. The first is I have no permissions to use port 80 on my application becuase I cannot run the application from sudo as the $GOPATH is not set …

Read More