Apache, REMOTE_USER, and Mongrel


#1

I use mod_auth_sspi with Apache to authenticate requests to my Rails
application. This means that Apache performs an NTLM challenge-response
with the client on request, then sets its REMOTE_USER variable to the
username of the authenticated user. I then use that REMOTE_USER value to
load (or create) the correct User record in my application. Until now, I
have been using FCGI to host Rails, and this has been working great.

Today, I have been working on upgrading to Apache 2.2.3 + mod_proxy +
Mongrel to improve reliability and make some maintenance easier.
However, I’ve discovered that Mongrel does not inherit the REMOTE_USER
variable from Apache. Is there some way I can get this value to my Rails
app through Mongrel?

It’s important for my purposes that users not have to log in. I am in a
corporate environment with a Windows domain, so using mod_auth_sspi to
transparently authenticate users through their browsers is the perfect
solution. If there’s some way I can get this to work with Mongrel and
not have to stick with FCGI, I’d love to hear about it :slight_smile:

Thanks,

  • Will

#2

Take a look at the mod proxy RequestHeader set directive. Assuming
the remote user is in an environment variable somewhere, you can use
this directive to pass it on to mongrel. I use it to pass along a
bunch of mod ssl env variables.


#3

snacktime wrote:

Take a look at the mod proxy RequestHeader set directive. Assuming
the remote user is in an environment variable somewhere, you can use
this directive to pass it on to mongrel. I use it to pass along a
bunch of mod ssl env variables.

Hi snacktime,

I actually just spent the rest of the afternoon since I posted this
message messing with the RequestHeader directive. No matter where I put
it, %{REMOTE_USER}e returns null. Unfortunately I just came home from
work, so I don’t have my Apache configuration in front of me, but it
goes something like this:

<VirtualHost *>
ServerName blah

RequestHeader add X_FORWARDED_USER %{REMOTE_USER}e

ProxyPass / http://my.host.name:8000/
ProxyPassReverse / http://my.host.name:8000
ProxyPreserveHost On

<Proxy *>
AuthType SSPI
SSPIAuth On
# etc…

Any insights?

Thanks,

  • Will

#4

snacktime wrote:

I forgot, mongrel prefixes all the env variables with HTTP_. So check
HTTP_REMOTE_USER and see if that’s it. Took me a bit to notice that
myself.

Chris,

Apache does not send REMOTE_USER as an HTTP header to mongrel. The
variables that mongrel prefixes with “HTTP_” are the HTTP request
headers. REMOTE_USER is usually made available to child processes via
CGI, but in this case we are not using CGI.

What I’m trying to do is explicitly inject a request header containing
the value of REMOTE_USER in Apache, before the proxy module sends the
request along to mongrel. For some reason, REMOTE_USER seems to always
be (null). This is before mongrel even gets involved. See my
configuration I posted on Friday for details.

If anyone knows why my attempts to read REMOTE_USER return (null), I’m
all ears.

  • Will

#5

Will R. wrote:


If anyone knows why my attempts to read REMOTE_USER return (null), I’m
all ears.

  • Will

have you tried PassEnv in your apache config (
http://httpd.apache.org/docs/2.0/env.html )


#6

I forgot, mongrel prefixes all the env variables with HTTP_. So check
HTTP_REMOTE_USER and see if that’s it. Took me a bit to notice that
myself.

Chris


#7

Will R. wrote:

If anyone knows why my attempts to read REMOTE_USER return (null), I’m
all ears.

After many hours trying to solve the same problem I found this post:
http://www.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-tf1114364.html#a2914465

and can confirm that the following works for me when put in the Proxy
directive on Apache 2:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

Jon.


#8

Bump

Sorry for bumping such an old post. I’m having trouble trying to execute
something similar. I am using the Apache::AuthenNTLM perl module for
NTLM authentication (mod_auth_sspi is windows-only, correct?). Below are
three configurations and my results. I appreciate any guidance anyone
might be able to provide.

c.

The following works and provides me with authentication, I have
REMOTE_USER and X_FORWARDED_USER available to my Rails application. The
site is running straight through Apache, however, so performance is
sub-optimal.

<VirtualHost *:80>
ServerName demo.jaxfc401
DocumentRoot /usr/local/apache2/htdocs/demo
<Directory /usr/local/apache2/htdocs/demo>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

The following works and provides me with proxying through Mongrel,
peformance is excellent but no authentication occurs and as such
REMOTE_USER is not available to my application.

<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on

This does not work.

<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on
<Proxy *>
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

I get the following error with this configuration:

Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn’t understand how to supply the
credentials required.


#9

jon wrote:

After many hours trying to solve the same problem I found this post:
http://www.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-tf1114364.html#a2914465

and can confirm that the following works for me when put in the Proxy
directive on Apache 2:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

THANK YOU. That works for me, as well. I tried all sorts of combinations
of those commands, but not that particular one. :slight_smile:

  • Will

#10

Hey folks… one more bump and then I’ll give it up, got caught behind
that wave of posts.

Thanks.
c.

Cayce B. wrote:
Bump

Sorry for bumping such an old post. I’m having trouble trying to
execute
something similar. I am using the Apache::AuthenNTLM perl module for
NTLM authentication (mod_auth_sspi is windows-only, correct?). Below
are
three configurations and my results. I appreciate any guidance anyone
might be able to provide.

c.

The following works and provides me with authentication, I have
REMOTE_USER and X_FORWARDED_USER available to my Rails application. The
site is running straight through Apache, however, so performance is
sub-optimal.

<VirtualHost *:80>
ServerName demo.jaxfc401
DocumentRoot /usr/local/apache2/htdocs/demo
<Directory /usr/local/apache2/htdocs/demo>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

The following works and provides me with proxying through Mongrel,
peformance is excellent but no authentication occurs and as such
REMOTE_USER is not available to my application.

<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on

This does not work.

<VirtualHost *:80>
ServerName demo.jaxfc401
ProxyRequests Off
ProxyPass / http://jaxfc401:8000
ProxyPassReverse / http://jaxfc401:8000
ProxyPreserveHost on
<Proxy *>
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Crowley
require valid-user
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
PerlSetVar defaultdomain CROWLEY
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

I get the following error with this configuration:

Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn’t understand how to supply the
credentials required.


#11

Even non-help helps, at least I can move on to other options and stop
banging my head against this mad bugger’s wall.

thanks for the info.

c.

Charles Brian Q. wrote:

I never figured out how to do any of apache’s auth schemes on anything
other than directories. Your mileage doesn’t look to vary on this.

I know in lighttpd you could auth the entire site, but for alas, I
always balk and toss my secret stuff on really high, random ports or
just lock down to IPs. I know, not the most secure, but it works.

Sorry for the non-help.

On 11/8/06, Cayce B. removed_email_address@domain.invalid wrote:

Sorry for bumping such an old post. I’m having trouble trying to

The following works and provides me with authentication, I have
Order allow,deny
RewriteCond %{LA-U:REMOTE_USER} (.+)
<VirtualHost *:80>
<VirtualHost *:80>
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
I get the following error with this configuration:


Charles Brian Q.
self-promotion: www.seebq.com
highgroove studios: www.highgroove.com
slingshot hosting: www.slingshothosting.com


#12

I never figured out how to do any of apache’s auth schemes on anything
other than directories. Your mileage doesn’t look to vary on this.

I know in lighttpd you could auth the entire site, but for alas, I
always balk and toss my secret stuff on really high, random ports or
just lock down to IPs. I know, not the most secure, but it works.

Sorry for the non-help.

On 11/8/06, Cayce B. removed_email_address@domain.invalid wrote:

Sorry for bumping such an old post. I’m having trouble trying to

The following works and provides me with authentication, I have
Order allow,deny
RewriteCond %{LA-U:REMOTE_USER} (.+)
<VirtualHost *:80>
<VirtualHost *:80>
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
I get the following error with this configuration:


Charles Brian Q.
self-promotion: www.seebq.com
highgroove studios: www.highgroove.com
slingshot hosting: www.slingshothosting.com


#13

Cayce B. wrote:

Even non-help helps, at least I can move on to other options and stop
banging my head against this mad bugger’s wall.

thanks for the info.

c.

Charles Brian Q. wrote:

I never figured out how to do any of apache’s auth schemes on anything
other than directories. Your mileage doesn’t look to vary on this.

I know in lighttpd you could auth the entire site, but for alas, I
always balk and toss my secret stuff on really high, random ports or
just lock down to IPs. I know, not the most secure, but it works.

Sorry for the non-help.

On 11/8/06, Cayce B. removed_email_address@domain.invalid wrote:

Sorry for bumping such an old post. I’m having trouble trying to

The following works and provides me with authentication, I have
Order allow,deny
RewriteCond %{LA-U:REMOTE_USER} (.+)
<VirtualHost *:80>
<VirtualHost *:80>
PerlAddVar ntdomain “CROWLEY crowleypdc jaxbdc01”
I get the following error with this configuration:


Charles Brian Q.
self-promotion: www.seebq.com
highgroove studios: www.highgroove.com
slingshot hosting: www.slingshothosting.com

HI,

I am facing problem to get the authenticated user using mod_auth_sspi.
my httpd.conf file has follwoing.

VirtualHost *:80>
ServerAdmin adminemailid
ServerName Portal
DocumentRoot rootpath
<Directory Z:/web/appname/public/ >
AllowOverride All
Order allow,deny
allow from all

#Rewrite stuff
RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

Check for maintenance file and redirect all requests

RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

Rewrite index to check for static

#RewriteRule ^/$ /index.html [QSA]

Rewrite to check for Rails cached page

#RewriteRule ^([^.]+)$ $1.html [QSA]

Redirect all non-static requests to cluster

#RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME !-f
RewriteRule ^/(.*)$ balancer://SSDEIPortal_cluster%{REQUEST_URI}
[P,QSA,L]

In the above config i am using same config dicussed in this post as

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

but still i am not getting the result.

Thanks in advance.