Using 0.7.6, running as a stand-alone web-server with
Apache operating as proxy on front-end.  Read about
REMOTE_USER and discovered it only works when run as a
cgi-bin.  Roundup makes no use of the Authorization
header passed to it when used stand-alone with an
authenticating Apache proxy.  The attached patch
extracts the username from the Authorization header and
passes it as REMOTE_USER.

Logged In: YES 
user_id=6405

This patch doesn't actually verify the password used and 
therefore makes possible a circumvention of authentication by 
a client connecting directly to the roundup-server supplying an 
Authentication header with "admin:gibberish" as the Basic auth 
information. 
 

Logged In: YES 
user_id=4480

Yes, you're correct.  If a front-end proxy is being trusted
to authenticate, then this is the correct behaviour, but
otherwise it would be a nasty security hole.  I'll add a
config variable to enable trusting a front-end proxy to have
performed the authentication, in addition to integrating
with the patch from #1067690.  If you don't mind, I'll
re-open this and submit my patch here.  [I never noticed
your response because the e-mail address I had registered
with SF no longer worked; I've updated it and expect I will
now see any responses.]

Logged In: YES 
user_id=6405

Sorry, forgot to respond. Go for it, generate the patch. Unlikely to make it 
into 0.7 at this late stage though.

Looking at the current roundup/cgi/client.py I see:

           elif self.env.get('HTTP_AUTHORIZATION', ''):
                # try handling Basic Auth ourselves
                auth = self.env['HTTP_AUTHORIZATION']
                scheme, challenge = auth.split(' ', 1)
                if scheme.lower() == 'basic':

which to me looks like it has implemented what was requested.

Probably as part of issue1067690 which is closed.