Is it possible to have an unauthenticated Rails page

[Mark Young]

Hi,

Apologies if this is the wrong place to ask but my research has failed to find a good place for this question.

I have a production Rails application running under Phusion Passenger v5.0.7. In Apache v2.2 I have a Directory stanza ensuring that only users on the corporate LDAP server can be served an application page, e.g.

        <Directory /home/rails/public>

        ...snip...

        AuthType Basic

        AuthBasicProvider ldap

        ...snip...

            <IfModule mod_authnz_ldap.c>

                AuthLDAPURL "ldaps://mycompany.ldap.com/ou=ou,o=o?mail?sub?(objectclass=person)" TLS

                AuthzLDAPAuthoritative off

                AuthLDAPRemoteUserIsDN off

                require valid-user

                ...snip...

            </IfModule>

        </Directory>

So folks who are authenticated can use the application on https://mycompany.project.com/menu

This is all fine. Along comes a new requirement to be able to monitor whether the Rails application is working fully. I'm told the monitoring application is not smart enough to authenticate itself (that's another battle). The approach I'd like to explore is whether it is possible to setup an unauthenticated page within the application that is served by Rails, such that the act of serving it and it producing the expected contents is a good indicator to the monitoring application that Apache, Rails and it's Database are all functioning.

I've experimented with creating a Directory stanza <Directory /home/rails/public/monitor> and using "require user unknown" as a test to see if it blocked me and it doesn't. This is where I think there's an interaction with Phusion Passenger that means this Directory stanza is not being honoured. If I instead create a nested pair of Directory stanzas outside of Rails this works, e.g.

        <Directory /only_known_users>

                ...snip...

                require valid-user

                ...snip...

and

        <Directory /only_known_users/test>

                ...snip...

                require user unknown

                ...snip...

Now I can visit https://mycompany.project.com/only_known_users but I'm unable to visit https://mycompany.project.com/only_known_users/test

I'd appreciate any help to discover whether this approach is possible?

Cheers,

Mark

[Daniel Knoppel]

A more standard approach would seem to me to just exclude a (monitoring) subdir from the authentication requirement.

With LDAP that seems to be possible: http://qnalist.com/questions/1043079/users-httpd-exclude-subdirectory-from-ldap-authentication

- Daniel

[Mark Young]

Thanks Daniel. Sorry for the ridiculously late reply.