On Jun 30, 2011, at 6:34 AM, Leandro Hermida wrote:

> Hi Nate and Shantanu,
> Thanks so much for the clear guidance, this works and sorry I didn't
> read the Apache docs properly
> best,
> Leandro
> On Thu, Jun 30, 2011 at 6:14 AM, Shantanu Pavgi <pa...@uab.edu> wrote:
>> On Jun 29, 2011, at 12:21 PM, Nate Coraor wrote:
>> Leandro Hermida wrote:
>> Hi Shantanu,
>> In your Apache configuration exactly how did you set up an anonymous
>> REMOTE_USER just for specific locations like the /datasets/ path?  I'm just
>> looking at the Apache docs and the RequestHeader directive has a context of
>> the entire VirtualHost and cannot be put into a Location container so I'm
>> not sure how to do it.
>> Hi Leandro,
>> See the optional 'env=' argument and docs on the same for ways to make
>> RequestHeader conditional:
>>    http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
>> So, depending on the path accessed, you should be able to have
>> mod_rewrite set an environment variable specifying which REMOTE_USER
>> (real username or fake anonymouse user) should be set.
>> You could also just set it as the anonymous user to start with and then
>> use 'RequestHeader set' to overwrite it with the real username in the
>> case that a real username is available.
>> This is all just from glancing at the docs, though, I have not tried any
>> of it out, and this sort of Apache trickery is always difficult to get
>> right.
>> --nate
>> Leandro,
>> The RequestHeader has a context of 'directory' as well, which includes
>> <Directory>, <Location>, <Files>, and <Proxy> containers [1]. So you should
>> be able to use it in Location directive.
>> Following is a configuration snippet related to what Nate described in his
>> earlier response. We are setting REMOTE_USER variable to anonymous when it's
>> not set/empty.
>>         <Location ~ "/(datasets|history)/">
>>                 AuthType shibboleth
>>                 ShibRequireSession off
>>                 Require shibboleth
>>                 RewriteCond %{LA-U:REMOTE_USER} =""
>>                 RequestHeader set REMOTE_USER "anonymous"
>>         </Location>
>> Hope this helps.
>> 1. http://httpd.apache.org/docs/current/mod/directive-dict.html#Context
>> --
>> Shantanu.


I realized that above mentioned configuration is wrong. It will set 
RequestHeader to 'anonymous' regardless of authentication status. I think 
following config should work (still testing). In our case it resides outside of 
Location directive now. You may need to adjust it according to your setup:

        # Take the  environment variable and set it as a header in the proxy 
        RewriteCond %{IS_SUBREQ} ^false$
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule . - [E=RU:%1]
        # Set RU to anonymous if No REMOTE_USER
        RewriteCond %{IS_SUBREQ} ^false$
        RewriteCond %{LA-U:REMOTE_USER} =""
        RewriteRule . - [E=RU:"anonymous"]
        # Set RequestHeader 
        RequestHeader set REMOTE_USER %{RU}e


Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:


Reply via email to