A question about mongrel, apache and authentication.
I''ve got a Rails site with I think a very typical setup: a mongrel
cluster behind an Apache proxy. So Apache''s handling the static stuff
and it hands off dynamic content to mongrel. I want to put the site
temporarily behind Apache''s basic authentication. What I get when I
do this is that is a password prompt which prevents all of the images,
stylesheets and other static files from being loaded unless
authenication passes, but anything mongrel handles is not.
Specifically, a user can just keep hitting "Cancel" at the
browser-generated password prompt and he/she will see that rails
generated content without ever entering any credentials. No styling
and no images, but they do see content. How can I fix it? Mongrel
does not seem to be honoring the authentication (and frankly, I don''t
know if it can). Here''s my apache config:
<VirtualHost *:80>
ServerAdmin me at mysite.com
DocumentRoot /www/mysite/current/public
ServerName www.mysite.com
ErrorLog /www/mysite/logs/mysite.error.log
CustomLog /www/mysite/logs/mysite.access.log combined
<Directory "/www/mysite/current/public">
Options FollowSymLinks
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /www/mysite/users/userdb
Require valid-user
</Directory>
RewriteEngine On
# Check for maintenance file and redirect all requests
# ( this is for use with Capistrano''s disable_web task )
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]
# Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA]
# Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]
# Redirect all non-static requests to cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/css
# ... text/xml application/xml application/xhtml+xml text/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
BalancerMember http://127.0.0.1:8002
</Proxy>
</VirtualHost>
You are only protecting your public directory with basic authentication. Try moving the Auth* and Require directives out of the scope of the public directory, and into the scope of the Virtual Host. Sean Brown wrote ..> A question about mongrel, apache and authentication. > > I''ve got a Rails site with I think a very typical setup: a mongrel > cluster behind an Apache proxy. So Apache''s handling the static stuff > and it hands off dynamic content to mongrel. I want to put the site > temporarily behind Apache''s basic authentication. What I get when I > do this is that is a password prompt which prevents all of the images, > stylesheets and other static files from being loaded unless > authenication passes, but anything mongrel handles is not. > Specifically, a user can just keep hitting "Cancel" at the > browser-generated password prompt and he/she will see that rails > generated content without ever entering any credentials. No styling > and no images, but they do see content. How can I fix it? Mongrel > does not seem to be honoring the authentication (and frankly, I don''t > know if it can). Here''s my apache config: > > > <VirtualHost *:80> > ServerAdmin me at mysite.com > DocumentRoot /www/mysite/current/public > ServerName www.mysite.com > ErrorLog /www/mysite/logs/mysite.error.log > CustomLog /www/mysite/logs/mysite.access.log combined > > <Directory "/www/mysite/current/public"> > Options FollowSymLinks > AllowOverride AuthConfig Limit > Order allow,deny > Allow from all > > AuthType Basic > AuthName "Restricted" > AuthBasicProvider file > AuthUserFile /www/mysite/users/userdb > Require valid-user > > </Directory> > > RewriteEngine On > > # Check for maintenance file and redirect all requests > # ( this is for use with Capistrano''s disable_web task ) > RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f > RewriteCond %{SCRIPT_FILENAME} !maintenance.html > RewriteRule ^.*$ /system/maintenance.html [L] > > # Rewrite index to check for static > RewriteRule ^/$ /index.html [QSA] > > # Rewrite to check for Rails cached page > RewriteRule ^([^.]+)$ $1.html [QSA] > > # Redirect all non-static requests to cluster > RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f > RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L] > > # Deflate > AddOutputFilterByType DEFLATE text/html text/plain text/css > # ... text/xml application/xml application/xhtml+xml text/javascript > BrowserMatch ^Mozilla/4 gzip-only-text/html > BrowserMatch ^Mozilla/4.0[678] no-gzip > BrowserMatch \bMSIE !no-gzip !gzip-only-text/html > > <Proxy balancer://mongrel_cluster> > BalancerMember http://127.0.0.1:8000 > BalancerMember http://127.0.0.1:8001 > BalancerMember http://127.0.0.1:8002 > > </Proxy> > </VirtualHost> > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >
You need put password directives in proxy balancer:
<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
BalancerMember http://127.0.0.1:8002
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /www/mysite/users/userdb
Require valid-user
</Proxy>
Regards
Sean Brown escribi?:> A question about mongrel, apache and authentication.
>
> I''ve got a Rails site with I think a very typical setup: a
mongrel
> cluster behind an Apache proxy. So Apache''s handling the static
stuff
> and it hands off dynamic content to mongrel. I want to put the site
> temporarily behind Apache''s basic authentication. What I get when
I
> do this is that is a password prompt which prevents all of the images,
> stylesheets and other static files from being loaded unless
> authenication passes, but anything mongrel handles is not.
> Specifically, a user can just keep hitting "Cancel" at the
> browser-generated password prompt and he/she will see that rails
> generated content without ever entering any credentials. No styling
> and no images, but they do see content. How can I fix it? Mongrel
> does not seem to be honoring the authentication (and frankly, I
don''t
> know if it can). Here''s my apache config:
>
>
> <VirtualHost *:80>
> ServerAdmin me at mysite.com
> DocumentRoot /www/mysite/current/public
> ServerName www.mysite.com
> ErrorLog /www/mysite/logs/mysite.error.log
> CustomLog /www/mysite/logs/mysite.access.log combined
>
> <Directory "/www/mysite/current/public">
> Options FollowSymLinks
> AllowOverride AuthConfig Limit
> Order allow,deny
> Allow from all
>
> AuthType Basic
> AuthName "Restricted"
> AuthBasicProvider file
> AuthUserFile /www/mysite/users/userdb
> Require valid-user
>
> </Directory>
>
> RewriteEngine On
>
> # Check for maintenance file and redirect all requests
> # ( this is for use with Capistrano''s disable_web task )
> RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
> RewriteCond %{SCRIPT_FILENAME} !maintenance.html
> RewriteRule ^.*$ /system/maintenance.html [L]
>
> # Rewrite index to check for static
> RewriteRule ^/$ /index.html [QSA]
>
> # Rewrite to check for Rails cached page
> RewriteRule ^([^.]+)$ $1.html [QSA]
>
> # Redirect all non-static requests to cluster
> RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
> RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]
>
> # Deflate
> AddOutputFilterByType DEFLATE text/html text/plain text/css
> # ... text/xml application/xml application/xhtml+xml text/javascript
> BrowserMatch ^Mozilla/4 gzip-only-text/html
> BrowserMatch ^Mozilla/4.0[678] no-gzip
> BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
>
> <Proxy balancer://mongrel_cluster>
> BalancerMember http://127.0.0.1:8000
> BalancerMember http://127.0.0.1:8001
> BalancerMember http://127.0.0.1:8002
>
> </Proxy>
> </VirtualHost>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>
>
--
Rafael Garcia Ortega
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rgo.vcf
Type: text/x-vcard
Size: 241 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/mongrel-users/attachments/20080123/dd56ccad/attachment.vcf
Hello Sean, Did this solution in the proxy balancer posted by rafael worked for you ? because it seems that applying that, I have no authentication anymore .... Did you find any solution for this problem ? Regards, Antoine -- Posted via http://www.ruby-forum.com/.
Antoine Antoine escribi?:> Hello Sean, > > Did this solution in the proxy balancer posted by rafael worked for you > ? because it seems that applying that, I have no authentication anymore > .... > Did you find any solution for this problem ? > > Regards, > > Antoine > > >Hi Antoine, When you want protect an application with basic authentication you need protect the static content (served by apache) and dinamic content (served by mongrel). A complete example: ==== foo.conf (vhost config file) <Proxy balancer://foo_cluster> BalancerMember http://127.0.0.1:8008 AuthType Basic AuthName "foo authentication" AuthUserFile /usr/local/apache2/conf/passwords Require user bar </Proxy> <VirtualHost *:80> ServerName foo.com ServerAlias *.foo.com DocumentRoot /home/foo/current/public <Directory "/home/foo/current/public"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all AuthType Basic AuthName "foo" AuthUserFile /usr/local/apache2/conf/passwords Require user bar </Directory> RewriteEngine On # Check for maintenance file and redirect all requests # ( this is for use with Capistrano''s disable_web task ) RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteRule ^.*$ /system/maintenance.html [L] # Redirect all non-static requests to cluster RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f #RewriteCond %{REQUEST_FILENAME} !\. RewriteCond %{REQUEST_FILENAME} (^[^\.]*$)|(.format:js) RewriteRule ^/(.*)$ balancer://foo_cluster%{REQUEST_URI} [P,QSA,L] # Deflate AddOutputFilterByType DEFLATE text/html text/plain text/css # ... text/xml application/xml application/xhtml+xml text/javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html </VirtualHost> === /usr/local/apache2/conf/passwords passwords file is created: # htpasswd -c /usr/local/apache2/conf/passwords bar Add new user: # htpasswd /usr/local/apache2/conf/passwords baz -- Rafael Garcia Ortega -------------- next part -------------- A non-text attachment was scrubbed... Name: rgo.vcf Type: text/x-vcard Size: 241 bytes Desc: not available URL: <http://rubyforge.org/pipermail/mongrel-users/attachments/20080829/0e99cd62/attachment.vcf>
Thanks rafael for your fast reply,
But I tried to apply that and I still have the problem. Here is my
situation.
----------------------------------------------------------------------
<Proxy *>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
Deny from env=blockAccess
AcceptPathInfo Off
Satisfy Any
</Proxy>
<VirtualHost *:80>
ServerName my.servername.com
..... # this virtual host doesn''t have anymore authentication
# and with mongrel_cluster ....
</VirtualHost>
<VirtualHost *:80>
ServerName my.servername.com
.....
DocumentRoot /..../public/
<Directory /..../public/ >
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,deny
Allow from all
Deny from env=blockAccess
AuthType Basic
AuthName "Version Foo"
AuthUserFile "/mypath/to/.htpasswd"
require valid-user
</Directory>
<Proxy balancer://my.server_cluster>
BalancerMember http://localhost:4000
AuthType Basic
AuthName "Version Foo"
AuthUserFile "/mypath/to/.htpasswd"
require valid-user
</Proxy>
[.....]
</VirtualHost>
----------------------------------------------------------------------
Maybe that''s due to my <proxy *> in front of it no ?
--
Posted via http://www.ruby-forum.com/.
Antoine Antoine escribi?:> ---------------------------------------------------------------------- > > Maybe that''s due to my <proxy *> in front of it no ? >It could be because apache read config files sequentially and maybe give priority to proxy * but I don''t know really. Try to comment it. -- Rafael Garcia Ortega -------------- next part -------------- A non-text attachment was scrubbed... Name: rgo.vcf Type: text/x-vcard Size: 241 bytes Desc: not available URL: <http://rubyforge.org/pipermail/mongrel-users/attachments/20080829/b50db579/attachment.vcf>
Please try using the following in your apache httpd.conf file. ProxyPass / balancer://balancer-manager/ ProxyPassReverse / balancer://balancer-manager/ ProxyPass images balancer://balancer-manager/images ProxyPass javascripts balancer://balancer-manager/javascripts ProxyPass stylesheets balancer://balancer-manager/stylesheets in virtualhost block. -- Posted via http://www.ruby-forum.com/.