IIS 后面的 HTTP 服务器:传递身份验证标头
我有一个配置了 Windows 身份验证和 URL 重写的 IIS 实例,因此它基本上充当反向代理。我的后端服务器(在 Linux 上运行)需要一个 REMOTE_USER 标头。是否可以配置 IIS 将有关经过身份验证的用户的信息传递到后端服务器?
I have an IIS instance configured with Windows Authentication and URL Rewrite, so it basically works as a reverse proxy. My backend server (run on Linux) expects a REMOTE_USER header. Is it possible to configure IIS to pass information about the authenticated user to the backend server?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果 IIS 配置为
Windows Auth,则ARR将提出质询,并且仅在用户通过身份验证后转发请求。可以使用重写规则中的
HTTP命名约定和serverVariables元素通过请求转发自定义标头。例如,在以下示例中,服务器变量LOCAL_ADDR作为名为X-MY-HEADER的标头进行转发。不幸的是,无法使用此技术转发
REMOTE_USER标头。这是因为当存在Authorization标头时,请求会在身份验证模块运行之前转发,因此不会设置身份验证服务器变量(当映射到标头时,它们只是空白)。不过,您可以将 IIS 设置为使用基本 Windows 身份验证,然后从 Linux 服务器上的 Base64 编码的授权标头中提取用户名。
If IIS is configured for
Windows Auth, thenARRwill challenge and only forward requests once the user is authenticated.It is possible to forward custom headers with the request using a
HTTPnaming convention andserverVariableselement in the rewrite rules. For instance, in the following example the server variableLOCAL_ADDRis forwarded as a header namedX-MY-HEADER.Unfortunately it's not possible to use this technique to forward a
REMOTE_USERheader. This is because when theAuthorizationheader is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).You can however set IIS to use
Basic Windows Auth, and then extract the username from theBase64encodedAuthorizationheader on your Linux server.我也遇到过类似的问题,我想我应该提到我是如何设法解决这个问题的。我已经安装了 Helicon ISAPI-Rewrite 3 Lite,它是一个 ISAPI 请求过滤器。由于它在管道中的身份验证阶段之后运行,因此它可以访问
REMOTE_USER变量,并且可以重写请求,以便使用REMOTE_USER添加新的 HTTP 标头,如下所示它的价值。当然,只有当您对后端服务器有一定的控制权时,这才有用,这样您就可以使用此自定义标头的值而不是原始的REMOTE_USER变量。ISAPI-Rewrite 的全局配置文件 (
httpd.conf) 中所需的代码片段如下:RewriteCond部分将此规则限制为以/MySite;请随意根据需要进行调整。I've had a similar problem and I thought I would mention how I managed to work around it. I have installed Helicon ISAPI-Rewrite 3 Lite, which is an ISAPI request filter. Since it runs after the authentication stage in the pipeline, it has access to the
REMOTE_USERvariable and can rewrite the request such that a new HTTP header is added to it withREMOTE_USERas its value. Of course this helps only if you have some control over the backend server so you can make use of the value of this custom header instead of the originalREMOTE_USERvariable.The required snippet in ISAPI-Rewrite's global configuration file (
httpd.conf) is as follows:The
RewriteCondpart limits this rule to URIs starting with/MySite; feel free to adjust it as needed.