Ralf Vitasek
2006-Dec-13 17:38 UTC
finally solved: Windows Auth via IIS6 proxied to mongrel
after struggling for quite a while i finally solved my problem to use windows authentication in my rails app. maybe some of you are trying to achieve the same and documentation about this is quite hard to find so i thought it''s a good idea to share this here... after i stopped trying to run my rails app directly on IIS (which never REALLY worked) i tried the commercial ISAPI_Rewrite from helicon with a RewriteProxy rule and my app running on mongrel with the "reverse_proxy_fix" plugin. after installing the ISAPI_Rewrite filter on the windows server you need to -> run "proxycfg.vbs -r" inside the installation folder "C:\Program Files\Helicon\ISAPI_Rewrite" -> edit the httpd.ini there and add a rewriteproxy rule like RewriteProxy /test(.*) http\://the_host_where_mongrel_runs:3000/$1 [I,U,D,A] -> enable windows authentication in IIS and restart IIS (iisreset) -> install the revers proxy fix via: ruby script/plugin install http://svn.napcsweb.com/public/reverse_proxy_fix and enter the url where you want to run the app (e.g. http://domain/test) -> fire up mongrel -> let IIS do the auth and harvest the name of the authenticated user via request.env[''HTTP_X_ISRW_PROXY_AUTH_USER''] and do some authorizations or deny access as you like -> be happy (at least i am now!!!) i hope this is of help to someone regards neongrau -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jodi Showers
2006-Dec-13 17:49 UTC
Re: [FAQ] finally solved: Windows Auth via IIS6 proxied to mongrel
Looks like a great FAQ addition! On 13-Dec-06, at 12:38 PM, Ralf Vitasek wrote:> > after struggling for quite a while i finally solved my problem to use > windows authentication in my rails app. > > maybe some of you are trying to achieve the same and documentation > about > this is quite hard to find so i thought it''s a good idea to share this > here... > > after i stopped trying to run my rails app directly on IIS (which > never > REALLY worked) i tried the commercial ISAPI_Rewrite from helicon > with a > RewriteProxy rule and my app running on mongrel with the > "reverse_proxy_fix" plugin. > > after installing the ISAPI_Rewrite filter on the windows server you > need > to > > -> run "proxycfg.vbs -r" inside the installation folder "C:\Program > Files\Helicon\ISAPI_Rewrite" > > -> edit the httpd.ini there and add a rewriteproxy rule like > RewriteProxy /test(.*) http\://the_host_where_mongrel_runs:3000/$1 > [I,U,D,A] > > -> enable windows authentication in IIS and restart IIS (iisreset) > > -> install the revers proxy fix via: > ruby script/plugin install > http://svn.napcsweb.com/public/reverse_proxy_fix > and enter the url where you want to run the app (e.g. > http://domain/test) > > -> fire up mongrel > > -> let IIS do the auth and harvest the name of the authenticated user > via request.env[''HTTP_X_ISRW_PROXY_AUTH_USER''] and do some > authorizations or deny access as you like > > -> be happy (at least i am now!!!) > > i hope this is of help to someone > > regards > neongrau > > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
matt mcknight
2006-Dec-15 22:03 UTC
Re: finally solved: Windows Auth via IIS6 proxied to mongrel
Okay...now do you have a set of rewrite rules for all of the non rails generated links (such as straight javascript code) that the reverse_proxy_fix plugin doesn''t handle? I''ll give you $100 for them! We messed around with the IIS reverse proxy from salty pickle, but there were some errors in its rewrite rules that I didn''t feel like debugging today. It looks like you could add one line of code to their logic in creating the proxy request to put the auth_user in the HTTP headers. I would caution anyone doing this, or any other reverse proxy solution, to make sure that they don''t allow their mongrels to accept connections from anything other than IIS. The HTTP header is rather easily faked. On Dec 13, 12:38 pm, Ralf Vitasek <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> after struggling for quite a while i finally solved my problem to use > windows authentication in my rails app. > > maybe some of you are trying to achieve the same and documentation about > this is quite hard to find so i thought it''s a good idea to share this > here... > > after i stopped trying to run my rails app directly onIIS(which never > REALLY worked) i tried the commercial ISAPI_Rewrite from helicon with a > RewriteProxy rule and my app running on mongrel with the > "reverse_proxy_fix" plugin. > > after installing the ISAPI_Rewrite filter on the windows server you need > to > > -> run "proxycfg.vbs -r" inside the installation folder "C:\Program > Files\Helicon\ISAPI_Rewrite" > > -> edit the httpd.ini there and add a rewriteproxy rule like > RewriteProxy /test(.*) http\://the_host_where_mongrel_runs:3000/$1 > [I,U,D,A] > > -> enable windows authentication inIISand restartIIS(iisreset) > > -> install the revers proxy fix via: > ruby script/plugin installhttp://svn.napcsweb.com/public/reverse_proxy_fix > and enter the url where you want to run the app (e.g.http://domain/test) > > -> fire up mongrel > > -> letIISdo the auth and harvest the name of the authenticated user > via request.env[''HTTP_X_ISRW_PROXY_AUTH_USER''] and do some > authorizations or deny access as you like > > -> be happy (at least i am now!!!) > > i hope this is of help to someone > > regards > neongrau > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ralf Vitasek
2006-Dec-16 11:33 UTC
Re: finally solved: Windows Auth via IIS6 proxied to mongrel
matt mcknight wrote:> Okay...now do you have a set of rewrite rules for all of the non rails > generated links (such as straight javascript code) that the > reverse_proxy_fix plugin doesn''t handle? I''ll give you $100 for them!hmm i don''t have any such rules, all i needed was a RewriteCond to distinguish the hostname where rails app runs from the other sites on IIS and a single RewriteProxy rule. since i don''t have static/absolute pathes in any of my javascript code everything just works. can you give an example how those links look like that don''t work when proxied?> We messed around with the IIS reverse proxy from salty pickle, but > there were some errors in its rewrite rules that I didn''t feel like > debugging today. It looks like you could add one line of code to their > logic in creating the proxy request to put the auth_user in the HTTP > headers.haven''t seen or tried that saltypickle tool, as i stated i used the commercial one from helicontech (so far just the 30 day trial) but the prices for the full version are ok imho. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
matt mcknight
2006-Dec-18 05:02 UTC
Re: finally solved: Windows Auth via IIS6 proxied to mongrel
Ralf Vitasek wrote:> can you give an example how those links look like that don''t work when > proxied?Ha- I was so deep in the problem that I forgot what I was doing with root paths. I had some links in the that begin with a "/", and they weren''t getting rewritten. Of course they all work perfectly with Apache mod_proxy, so I just assumed it was a problem with the ISAPI_Rewrite thing and I''d have to go and try to recreate some of those rewrite rules from Apache. The obvious workaround is to use the "../../" style links in the app, although those can be tricky if you attempt re-use the code in things that live at different virtual directory depths. Small price to pay for getting that request property populated. Thanks again for your post! Matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Brian Hogan
2007-Feb-02 03:33 UTC
Re: finally solved: Windows Auth via IIS6 proxied to mongrel
Matt: If you use my reverse_proxy_fix plugin and make sure all your URLS in Rails use the built-in helpers, links work fine. Avoid doing any hard-coded paths (javascript_include_tag, link_to, stylesheet_link_tag) and my plugin will take care of directing traffic back around. The main reason I wrote the plugin was to prevent the backend server from being exposed. to the user (the frontend server name and port are prefixed to all requests from the user side). On 12/17/06, matt mcknight <matt.mcknight-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > > Ralf Vitasek wrote: > > can you give an example how those links look like that don''t work when > > proxied? > > Ha- I was so deep in the problem that I forgot what I was doing with > root paths. I had some links in the that begin with a "/", and they > weren''t getting rewritten. Of course they all work perfectly with > Apache mod_proxy, so I just assumed it was a problem with the > ISAPI_Rewrite thing and I''d have to go and try to recreate some of > those rewrite rules from Apache. The obvious workaround is to use the > "../../" style links in the app, although those can be tricky if you > attempt re-use the code in things that live at different virtual > directory depths. Small price to pay for getting that request property > populated. > > Thanks again for your post! > > Matt > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---