A question about mongrel, apache and authentication.

I’ve got a Rails site with I think a very typical setup: a mongrel
cluster behind an Apache proxy. So Apache’s handling the static stuff
and it hands off dynamic content to mongrel. I want to put the site
temporarily behind Apache’s basic authentication. What I get when I
do this is that is a password prompt which prevents all of the images,
stylesheets and other static files from being loaded unless
authenication passes, but anything mongrel handles is not.
Specifically, a user can just keep hitting “Cancel” at the
browser-generated password prompt and he/she will see that rails
generated content without ever entering any credentials. No styling
and no images, but they do see content. How can I fix it? Mongrel
does not seem to be honoring the authentication (and frankly, I don’t
know if it can). Here’s my apache config:

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /www/mysite/current/public
ServerName www.mysite.com
ErrorLog /www/mysite/logs/mysite.error.log
CustomLog /www/mysite/logs/mysite.access.log combined

<Directory “/www/mysite/current/public”>
Options FollowSymLinks
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all

  AuthType Basic
  AuthName "Restricted"
  AuthBasicProvider file
  AuthUserFile /www/mysite/users/userdb
  Require valid-user

RewriteEngine On

Check for maintenance file and redirect all requests

( this is for use with Capistrano’s disable_web task )

RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

Rewrite index to check for static

RewriteRule ^/$ /index.html [QSA]

Rewrite to check for Rails cached page

RewriteRule ^([^.]+)$ $1.html [QSA]

Redirect all non-static requests to cluster

RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]

Deflate

AddOutputFilterByType DEFLATE text/html text/plain text/css

… text/xml application/xml application/xhtml+xml text/javascript

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
BalancerMember http://127.0.0.1:8002

You need put password directives in proxy balancer:

<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
BalancerMember http://127.0.0.1:8002
AuthType Basic
AuthName “Restricted”
AuthBasicProvider file
AuthUserFile /www/mysite/users/userdb
Require valid-user

Regards

Sean B. escribió:

Hello Sean,

Did this solution in the proxy balancer posted by rafael worked for you
? because it seems that applying that, I have no authentication anymore
…
Did you find any solution for this problem ?

Regards,

Antoine

Antoine Antoine escribió:

Hi Antoine,

When you want protect an application with basic authentication you

need protect the static content (served by apache) and dinamic content
(served by mongrel).

A complete example:

==== foo.conf (vhost config file)

<Proxy balancer://foo_cluster>
BalancerMember http://127.0.0.1:8008
AuthType Basic
AuthName “foo authentication”
AuthUserFile /usr/local/apache2/conf/passwords
Require user bar

<VirtualHost *:80>
ServerName foo.com
ServerAlias *.foo.com

DocumentRoot /home/foo/current/public
<Directory “/home/foo/current/public”>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName “foo”
AuthUserFile /usr/local/apache2/conf/passwords
Require user bar

RewriteEngine On

Check for maintenance file and redirect all requests

( this is for use with Capistrano’s disable_web task )

RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]

Redirect all non-static requests to cluster

RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !.
RewriteCond %{REQUEST_FILENAME} (^[^.]$)|(.format:js)
RewriteRule ^/(.)$ balancer://foo_cluster%{REQUEST_URI} [P,QSA,L]

Deflate

AddOutputFilterByType DEFLATE text/html text/plain text/css

… text/xml application/xml application/xhtml+xml text/javascript

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

=== /usr/local/apache2/conf/passwords
passwords file is created:

# htpasswd -c /usr/local/apache2/conf/passwords bar

Add new user:

# htpasswd /usr/local/apache2/conf/passwords baz

Antoine Antoine escribió:

---

Maybe that’s due to my <proxy *> in front of it no ?

It could be because apache read config files sequentially and maybe give
priority to proxy * but I don’t know really.

Try to comment it.

Thanks rafael for your fast reply,

But I tried to apply that and I still have the problem. Here is my
situation.

<Proxy *>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
Deny from env=blockAccess
AcceptPathInfo Off
Satisfy Any

<VirtualHost *:80>
ServerName my.servername.com
… # this virtual host doesn’t have anymore authentication

and with mongrel_cluster …

<VirtualHost *:80>
ServerName my.servername.com
…
DocumentRoot /…/public/

<Directory /…/public/ >
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,deny
Allow from all
Deny from env=blockAccess
AuthType Basic
AuthName “Version Foo”
AuthUserFile “/mypath/to/.htpasswd”
require valid-user

<Proxy balancer://my.server_cluster>
BalancerMember http://localhost:4000
AuthType Basic
AuthName “Version Foo”
AuthUserFile “/mypath/to/.htpasswd”
require valid-user

[…]

Maybe that’s due to my <proxy *> in front of it no ?

Please try using the following in your apache httpd.conf file.

ProxyPass / balancer://balancer-manager/
ProxyPassReverse / balancer://balancer-manager/
ProxyPass images balancer://balancer-manager/images
ProxyPass javascripts balancer://balancer-manager/javascripts
ProxyPass stylesheets balancer://balancer-manager/stylesheets

in virtualhost block.