Pete,
I actually don’t track any of the REMOTE_USER, REMOTE_IDENT, or
REMOTE_HOST
parameters from CGI because the first two are security holes and all
three
are huge performance hits on Mongrel. Typically the last one is used by
web
servers to log requests, but since Mongrel is behind a faster real web
server logging or tracking this again is a double waste. Because this
(and
the fact that lighttpd hides the remote host) you get no remote host.
Also, I hope you realize that this is not a way to do a security check.
Remote IP addresses are easily faked.
Now, you have a real problem but there is a possible win-win solution.
Lighttpd supports mod_proxy (which you’re already using), but it also
lets
you pick backends according to the $HTTP[“remoteip”]. Rather than have
mongrel pick this, what you can do is setup one mongrel instance per
remote
site, and then have lighttpd proxy based on each using this variable.
So, if you had this before:
$HTTP[“host”] == “www.example.org” {
proxy.balance = “hash”
proxy.server = ( “” => ( ( “host” => “10.0.0.10” ),
( “host” => “10.0.0.11” ),
( “host” => “10.0.0.16” ),
( “host” => “10.0.0.17” ) ) )
}
You’d change it to:
$HTTP[“remoteip”] == “10.0.0.0/8” {
proxy.balance = “hash”
proxy.server = ( “” ( ( “host” => “127.0.0.1”, “port” => 9000 ) ) )
}
$HTTP[“remoteip”] == “10.0.1.0/8” {
proxy.balance = “hash”
proxy.server = ( “” ( ( “host” => “127.0.0.1”, “port” => 9001 ) ) )
}
And so on. The /8 is to pick a network rather than a single remoteip.
The docs for this are:
http://www.lighttpd.net/documentation/proxy.html
http://www.lighttpd.net/documentation/configuration.html
Two other options are:
- Give each remote site their own special DNS entry and then do what
37signals does with basecamp to setup their access. There’s a wiki
entry on
this.
- Use the same $HTTP[“remoteip”] but use it to rewrite the request to
pre-pend a “remote site id” to the request. Then change your routes.rb
so
that you got something like: /:remotesite/:controller/:action/:id.
This
then lets you avoid one backend per site but still gives you site
specific
stuff.
- Totally experimental, but look at the mod_setenv ability to
setenv.request_header and see if you can just set some header to the
remote
IP. Ask in the #lighttpd IRC channel on irc.freenode.org.
Hope that helps, and good luck.
Zed A. Shaw
http://mongrel.rubyforge.org/