mod_ntlm authentication not working for sub-location

68 views
Skip to first unread message

Raimonds Simanovskis

unread,
Dec 5, 2008, 1:07:18 PM12/5/08
to Phusion Passenger Discussions
I am using Apache with patched mod_ntlm (see
http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/)
which does NTLM Windows authentication just for one particular
location /winlogin.

<Location /winlogin>
AuthName "My Application"
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain domain.com
NTLMServer dc01.domain.com
NTLMBackup dc02.domain.com
require valid-user
</Location>

Currently I am using Apache as proxy server before Mongrel cluster and
NTLM authentication is done just for /winlogin request.

I wanted to try to re-configure my application to use Passenger (tried
the latest version 2.0.5). The problem is that after adding Passenger
my NTLM authentication is not working anymore - /winlogin request is
passed directly to Rails application.

When I tried to specify NTLM authentication for all requests:
<Location />
# the same as above ...
</Location>

then mod_ntlm was used to do NTLM authentication and just after that
request was passed to Rails.

Is it so that Passenger supports Apache module authentication just for
root (/) location and cannot support Apache module authentication for
sub-locations (like /winlogin in my case)?

Kind regards,
Raimonds

Raimonds Simanovskis

unread,
Dec 12, 2008, 10:36:55 AM12/12/08
to Phusion Passenger Discussions
I found the following workaround for this sub-location authentication
issue - I set up additional Apache listener on port 80 in reverse
proxy mode before my Passenger enabled Apache on different port. Of
course it results in some additional overhead as all requests are
going through two Apache listeners but probably this overhead is not
relevant compared to Rails request processing total time.

Does anybody have any better suggestion?

The resulting virtual hosts configuration file looks like this:
----------
RailsAutoDetect off

<VirtualHost *:80>
DocumentRoot ".../myapplication/public"

RewriteEngine On

# Don't do forward proxying
ProxyRequests Off

# Enable reverse proxying
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

# NTLM authentication
<Location /winlogin>
AuthName "My Application"
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain domain.com
NTLMServer dc01.domain.com
NTLMBackup dc02.domain.com
require valid-user
</Location>
# Pass domain user in header
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e

# Redirect all non-static requests to haproxy
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
# the P option to the last rule replaces the ProxyPass and
ProxyPassReverse directives.
RewriteRule ^/(.*)$ http://127.0.0.1:8100%{REQUEST_URI} [L,P,QSA]

</VirtualHost>

Listen 127.0.0.1:8100
<VirtualHost 127.0.0.1:8100>
DocumentRoot ".../myapplication/public"

RailsBaseURI /
RailsEnv production

</VirtualHost>
----------


Kind regards,
Raimonds

On Dec 5, 8:07 pm, Raimonds Simanovskis
<raimonds.simanovs...@gmail.com> wrote:
> I am using Apache with patched mod_ntlm (seehttp://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication...)
Reply all
Reply to author
Forward
0 new messages