Using LL::NG in reverse proxy mode, you will not have the REMOTE_USER
environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
Apache SetEnvIf module will let you transform the Auth-User HTTP header in REMOTE_USER
environment variable:
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
This can be used to protect applications relying on REMOTE_USER
environment variable in reverse proxy mode. In this case you will have two Apache configuration files:
<VirtualHost *:80> ServerName application.example.com PerlHeaderParserHandler Lemonldap::NG::Handler ProxyPreserveHost on ProxyPass / http://APPLICATION_IP/ ProxyPassReverse / http://APPLICATION_IP/ </VirtualHost>
<VirtualHost *:80> ServerName application.example.com SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1 DocumentRoot /var/www/application </VirtualHost>
SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1 SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1
Of course, you need to store password in session to fill PHP_AUTH_PW.
Nginx doesn't launch directly PHP pages (or other languages): it dials with FastCGI servers (like php-fpm). As you can see in examples, it's easy to map a LLNG header to a fastcgi param. Example:
auth_request_set $authuser $upstream_http_auth_user; fastcgi_param HTTP_MYVAR $authuser;