Apache with kerberos + mod_proxy + mod_rewrite recursion

Question

I've configured an Apache server to provide SSO and reverse-proxying for our Splunk installation as per the config below. SSO works as does the reverse-proxy hiding the Splunk instance running on port 8000 behind the /splunk URL.

ProxyPass /splunk http://localhost:8000/splunk
ProxyPassReverse /splunk http://localhost:8000/splunk
<Location /splunk >
        # Kerberos Authentication
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealms MYDOMAIN.COM
        Krb5KeyTab /etc/krb5.http.keytab
        KrbMethodNegotiate on
        KrbAuthoritative on
        KrbMethodK5Passwd off
        KrbLocalUserMapping on
        KrbSaveCredentials on
        require valid-user

        # SSO
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)$
        RewriteRule . - [E=RU:%1]
        RequestHeader set REMOTE_USER %{RU}e
</Location>

The problem is in the Apache logs I'm getting a LOT of the following error messages.

[client x.x.x.x] Request exceeded the limit of 10 subrequest nesting levels due to probable confguration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://splunk.mydomain.com/splunk/en-GB/debug/sso

I'm not sure whether this problem is related to Splunk or not. Has anyone else seen this and how can I fix the problem?

Answer 1

Try

RewriteRule . - [E=RU:%1,NS]

To make sure the RewriteRule doesn't apply to internal subrequests.