Using Apache auth to secure certain areas of Rails app


#1

Hello! My setup is Rails 1.1 with Apache 2.x proxying the Rails stuff to
lighttpd. I know how to set up Apache to secure my entire Rails app to
require a username/password challenge. Is it possible to set up the
challenge for only parts of my application? E.g., let’s say I have a
“pub” controller whose views are accessible to anyone.

I am already implementing user authentication in my Rails app (checking
each request w/ before_filter). However, before I’m ready to go public,
I’d like an extra level of security with Apache authentication. But I’m
okay with certain sections like RSS feeds and blog entries being freely
accessible. Since a Rails URL doesn’t correspond to a physical directory
in the file system, I’m not sure how to set up the Apache access file.

Is it possible? If not, I’d like to hear other suggestions on
accomplishing the same result.

Thanks in advance.

–Ed Lau


#2

I recommend checking the Apache docs for Location and LocationMatch.
These are the block directives that you can use to perform actions
based on the URL path, irrespective of whether or not a physical
resource is being requested.

Ideally, you will have an overarching LocationMatch that you use to
set up your proxy directives, before handing off control to lighttpd
as the last statement in the block. If you want to do Apache-related
things inside that block, you can simply place more Location and/or
LocationMatch blocks, within the larger block, before you do the
proxy hand-off.

This would be a good way to tie into Apache’s Kerberos and LDAP
authentication modules, should you choose to do so. Also, inside your
Rails app, you’ll be able to check the value of request
[“REMOTE_USER”] to get the name of the authenticated user.

-Brian


#3

Thanks, Brian! I didn’t know about Location and LocationMath. I’ll look
into it.

–Ed

Brian H. wrote:

I recommend checking the Apache docs for Location and LocationMatch.
These are the block directives that you can use to perform actions
based on the URL path, irrespective of whether or not a physical
resource is being requested.

Ideally, you will have an overarching LocationMatch that you use to
set up your proxy directives, before handing off control to lighttpd
as the last statement in the block. If you want to do Apache-related
things inside that block, you can simply place more Location and/or
LocationMatch blocks, within the larger block, before you do the
proxy hand-off.

This would be a good way to tie into Apache’s Kerberos and LDAP
authentication modules, should you choose to do so. Also, inside your
Rails app, you’ll be able to check the value of request
[“REMOTE_USER”] to get the name of the authenticated user.

-Brian