ServerName proxy.example.com

SSLProxyEngine On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off

<If "env('SERVER') == 'SERVER_GSSAPI_BASIC_FALLBACK'">
    # In order to use the basic-auth proxy, an X-Csrf-Token must be present
    # Fail anything that doesn't have that header
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/mod_auth/?
    RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
    RewriteRule ^.* - [F,L]
</If>

<Location /mod_auth/>

    ProxyPass https://backend.example.com/
    Require valid-user

    AuthType GSSAPI
    AuthName "GSSAPI Login"
    RequestHeader set Remote-User %{REMOTE_USER}s

    <If "env('SERVER') == 'SERVER_GSSAPI_ONLY'">
        # Kerberos auth-protected
        GssapiCredStore keytab:/etc/httpd.keytab
    </If>

    <If "env('SERVER') == 'SERVER_GSSAPI_BASIC_FALLBACK'">
        GssapiCredStore keytab:/etc/httpd.keytab
        GssapiBasicAuth on
    </If>

</Location>

RequestHeader unset Remote-User
RequestHeader unset X-Remote-User