I use mod_auth_sspi with Apache to authenticate requests to my Rails application. This means that Apache performs an NTLM challenge-response with the client on request, then sets its REMOTE_USER variable to the username of the authenticated user. I then use that REMOTE_USER value to load (or create) the correct User record in my application. Until now, I have been using FCGI to host Rails, and this has been working great. Today, I have been working on upgrading to Apache 2.2.3 + mod_proxy + Mongrel to improve reliability and make some maintenance easier. However, I've discovered that Mongrel does not inherit the REMOTE_USER variable from Apache. Is there some way I can get this value to my Rails app through Mongrel? It's important for my purposes that users not have to log in. I am in a corporate environment with a Windows domain, so using mod_auth_sspi to transparently authenticate users through their browsers is the perfect solution. If there's some way I can get this to work with Mongrel and not have to stick with FCGI, I'd love to hear about it :) Thanks, - Will
on 29.09.2006 19:44
on 29.09.2006 23:15
Take a look at the mod proxy RequestHeader set directive. Assuming the remote user is in an environment variable somewhere, you can use this directive to pass it on to mongrel. I use it to pass along a bunch of mod ssl env variables.
on 29.09.2006 23:22
snacktime wrote: > Take a look at the mod proxy RequestHeader set directive. Assuming > the remote user is in an environment variable somewhere, you can use > this directive to pass it on to mongrel. I use it to pass along a > bunch of mod ssl env variables. Hi snacktime, I actually just spent the rest of the afternoon since I posted this message messing with the RequestHeader directive. No matter where I put it, %{REMOTE_USER}e returns null. Unfortunately I just came home from work, so I don't have my Apache configuration in front of me, but it goes something like this: <VirtualHost *> ServerName blah RequestHeader add X_FORWARDED_USER %{REMOTE_USER}e ProxyPass / http://my.host.name:8000/ ProxyPassReverse / http://my.host.name:8000 ProxyPreserveHost On <Proxy *> AuthType SSPI SSPIAuth On # etc... </Proxy> </VirtualHost> Any insights? Thanks, - Will
on 30.09.2006 02:12
I forgot, mongrel prefixes all the env variables with HTTP_. So check HTTP_REMOTE_USER and see if that's it. Took me a bit to notice that myself. Chris
on 02.10.2006 15:59
snacktime wrote: > I forgot, mongrel prefixes all the env variables with HTTP_. So check > HTTP_REMOTE_USER and see if that's it. Took me a bit to notice that > myself. Chris, Apache does not send REMOTE_USER as an HTTP header to mongrel. The variables that mongrel prefixes with "HTTP_" are the HTTP request headers. REMOTE_USER is usually made available to child processes via CGI, but in this case we are not using CGI. What I'm trying to do is explicitly inject a request header containing the value of REMOTE_USER in Apache, before the proxy module sends the request along to mongrel. For some reason, REMOTE_USER seems to always be (null). This is before mongrel even gets involved. See my configuration I posted on Friday for details. If anyone knows why my attempts to read REMOTE_USER return (null), I'm all ears. - Will
on 10.10.2006 18:19
Will Rogers wrote: > ... > If anyone knows why my attempts to read REMOTE_USER return (null), I'm > all ears. > > - Will have you tried PassEnv in your apache config ( http://httpd.apache.org/docs/2.0/env.html )
on 10.10.2006 18:38
Will Rogers wrote: > > If anyone knows why my attempts to read REMOTE_USER return (null), I'm > all ears. After many hours trying to solve the same problem I found this post: http://www.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-tf1114364.html#a2914465 and can confirm that the following works for me when put in the Proxy directive on Apache 2: RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader add X-Forwarded-User %{RU}e Jon.
on 11.10.2006 15:44
jon wrote: > After many hours trying to solve the same problem I found this post: > http://www.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-tf1114364.html#a2914465 > > and can confirm that the following works for me when put in the Proxy > directive on Apache 2: > RewriteEngine On > RewriteCond %{LA-U:REMOTE_USER} (.+) > RewriteRule . - [E=RU:%1] > RequestHeader add X-Forwarded-User %{RU}e THANK YOU. That works for me, as well. I tried all sorts of combinations of those commands, but not that particular one. :) - Will
on 06.11.2006 23:13
Bump
Sorry for bumping such an old post. I'm having trouble trying to execute
something similar. I am using the Apache::AuthenNTLM perl module for
NTLM authentication (mod_auth_sspi is windows-only, correct?). Below are
three configurations and my results. I appreciate any guidance anyone
might be able to provide.
c.
The following works and provides me with authentication, I have
REMOTE_USER and X_FORWARDED_USER available to my Rails application. The
site is running straight through Apache, however, so performance is
sub-optimal.
<VirtualHost *:80>
ServerName demo.jaxfc401
DocumentRoot /usr/local/apache2/htdocs/demo
<Directory /usr/local/apache2/htdocs/demo>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01"
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
</Directory>
</VirtualHost>
The following works and provides me with proxying through Mongrel,
peformance is excellent but no authentication occurs and as such
REMOTE_USER is not available to my application.
<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on
</VirtualHost>
This does not work.
<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on
<Proxy *>
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01"
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
</Proxy>
</VirtualHost>
I get the following error with this configuration:
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.
on 08.11.2006 19:46
Hey folks... one more bump and then I'll give it up, got caught behind that wave of posts. Thanks. c. Cayce Balara wrote: Bump Sorry for bumping such an old post. I'm having trouble trying to execute something similar. I am using the Apache::AuthenNTLM perl module for NTLM authentication (mod_auth_sspi is windows-only, correct?). Below are three configurations and my results. I appreciate any guidance anyone might be able to provide. c. > The following works and provides me with authentication, I have > REMOTE_USER and X_FORWARDED_USER available to my Rails application. The > site is running straight through Apache, however, so performance is > sub-optimal. > > <VirtualHost *:80> > ServerName demo.jaxfc401 > DocumentRoot /usr/local/apache2/htdocs/demo > <Directory /usr/local/apache2/htdocs/demo> > Options FollowSymLinks > AllowOverride All > Order allow,deny > Allow from all > PerlAuthenHandler Apache2::AuthenNTLM > AuthType ntlm,basic > AuthName Crowley > require valid-user > PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01" > PerlSetVar defaultdomain CROWLEY > PerlSetVar splitdomainprefix 1 > PerlSetVar ntlmdebug 0 > PerlSetVar ntlmauthoritative off > RewriteCond %{LA-U:REMOTE_USER} (.+) > RewriteRule . - [E=RU:%1] > RequestHeader add X-Forwarded-User %{RU}e > </Directory> > </VirtualHost> > > > The following works and provides me with proxying through Mongrel, > peformance is excellent but no authentication occurs and as such > REMOTE_USER is not available to my application. > > <VirtualHost *:80> > ServerName demo.jaxfc401 > ProxyRequests Off > ProxyPass / http://jaxfc401:8000 > ProxyPassReverse / http://jaxfc401:8000 > ProxyPreserveHost on > </VirtualHost> > > > This does not work. > > <VirtualHost *:80> > ServerName demo.jaxfc401 > ProxyRequests Off > ProxyPass / http://jaxfc401:8000 > ProxyPassReverse / http://jaxfc401:8000 > ProxyPreserveHost on > <Proxy *> > PerlAuthenHandler Apache2::AuthenNTLM > AuthType ntlm,basic > AuthName Crowley > require valid-user > PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01" > PerlSetVar defaultdomain CROWLEY > PerlSetVar splitdomainprefix 1 > PerlSetVar ntlmdebug 0 > PerlSetVar ntlmauthoritative off > RewriteCond %{LA-U:REMOTE_USER} (.+) > RewriteRule . - [E=RU:%1] > RequestHeader add X-Forwarded-User %{RU}e > </Proxy> > </VirtualHost> > > I get the following error with this configuration: > > Authorization Required > This server could not verify that you are authorized to access the > document requested. Either you supplied the wrong credentials (e.g., bad > password), or your browser doesn't understand how to supply the > credentials required.
on 08.11.2006 21:44
I never figured out how to do any of apache's auth schemes on anything other than directories. Your mileage doesn't look to vary on this. I know in lighttpd you could auth the entire site, but for alas, I always balk and toss my secret stuff on really high, random ports or just lock down to IPs. I know, not the most secure, but it works. Sorry for the non-help. On 11/8/06, Cayce Balara <rails-mailing-list@andreas-s.net> wrote: > Sorry for bumping such an old post. I'm having trouble trying to > > The following works and provides me with authentication, I have > > Order allow,deny > > RewriteCond %{LA-U:REMOTE_USER} (.+) > > <VirtualHost *:80> > > <VirtualHost *:80> > > PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01" > > I get the following error with this configuration: > > > -- Charles Brian Quinn self-promotion: www.seebq.com highgroove studios: www.highgroove.com slingshot hosting: www.slingshothosting.com
on 09.11.2006 17:35
Even non-help helps, at least I can move on to other options and stop banging my head against this mad bugger's wall. thanks for the info. c. Charles Brian Quinn wrote: > I never figured out how to do any of apache's auth schemes on anything > other than directories. Your mileage doesn't look to vary on this. > > I know in lighttpd you could auth the entire site, but for alas, I > always balk and toss my secret stuff on really high, random ports or > just lock down to IPs. I know, not the most secure, but it works. > > Sorry for the non-help. > > On 11/8/06, Cayce Balara <rails-mailing-list@andreas-s.net> wrote: >> Sorry for bumping such an old post. I'm having trouble trying to >> > The following works and provides me with authentication, I have >> > Order allow,deny >> > RewriteCond %{LA-U:REMOTE_USER} (.+) >> > <VirtualHost *:80> >> > <VirtualHost *:80> >> > PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01" >> > I get the following error with this configuration: >> > >> > > > -- > Charles Brian Quinn > self-promotion: www.seebq.com > highgroove studios: www.highgroove.com > slingshot hosting: www.slingshothosting.com
on 06.01.2009 10:41
Cayce Balara wrote: > Even non-help helps, at least I can move on to other options and stop > banging my head against this mad bugger's wall. > > thanks for the info. > > c. > > > Charles Brian Quinn wrote: >> I never figured out how to do any of apache's auth schemes on anything >> other than directories. Your mileage doesn't look to vary on this. >> >> I know in lighttpd you could auth the entire site, but for alas, I >> always balk and toss my secret stuff on really high, random ports or >> just lock down to IPs. I know, not the most secure, but it works. >> >> Sorry for the non-help. >> >> On 11/8/06, Cayce Balara <rails-mailing-list@andreas-s.net> wrote: >>> Sorry for bumping such an old post. I'm having trouble trying to >>> > The following works and provides me with authentication, I have >>> > Order allow,deny >>> > RewriteCond %{LA-U:REMOTE_USER} (.+) >>> > <VirtualHost *:80> >>> > <VirtualHost *:80> >>> > PerlAddVar ntdomain "CROWLEY crowleypdc jaxbdc01" >>> > I get the following error with this configuration: >>> > >>> >> >> >> -- >> Charles Brian Quinn >> self-promotion: www.seebq.com >> highgroove studios: www.highgroove.com >> slingshot hosting: www.slingshothosting.com HI, I am facing problem to get the authenticated user using mod_auth_sspi. my httpd.conf file has follwoing. VirtualHost *:80> ServerAdmin adminemailid ServerName Portal DocumentRoot rootpath <Directory Z:/web/appname/public/ > AllowOverride All Order allow,deny allow from all </Directory> #Rewrite stuff RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader add X-Forwarded-User %{RU}e # Check for maintenance file and redirect all requests RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteRule ^.*$ /system/maintenance.html [L] # Rewrite index to check for static #RewriteRule ^/$ /index.html [QSA] # Rewrite to check for Rails cached page #RewriteRule ^([^.]+)$ $1.html [QSA] # Redirect all non-static requests to cluster #RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME !-f RewriteRule ^/(.*)$ balancer://SSDEIPortal_cluster%{REQUEST_URI} [P,QSA,L] </VirtualHost> In the above config i am using same config dicussed in this post as RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader add X-Forwarded-User %{RU}e but still i am not getting the result. Thanks in advance.