Rails app, REMOTE_USER attribute in IIS 8.5 with windows authentication - ruby-on-rails-4

I have setup a IIS 8.5 server that runs a rails app using HttpPlatformHandler and Windows authentication. We have also tried using ARR as reverse proxy with same results.
This all works completely fine, users are authenticated using kerberos, and anonymous authentication is disabled, no problem there.
We can deny specific users and see that it has effect.
The problem is that there is no REMOTE_USER or AUTH_USER attribute anywhere in the http response headers. However the HTTP_AUTHORIZATION header is set and is eg "Negotiate YIIHJAYGKw....".
We haven't found a reasonable way to decode the HTTP_AUTORIZATION header either.
Any form of help would be much appreciated.

To fix this, you need to install helicontech's ISAPI_Rewrite 3 on the server running IIS. download url is here: ISAPI_Rewrite 3.
After that navigate to the install folder, the default is C:\Program Files\Helicon\ISAPI_Rewrite3
In there you will find a file called httpd.conf, open it up and add:
RewriteBase /
RewriteCond %{REQUEST_URI} ^/.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}
Now you will be able to get the remote username in your ruby code with:
request.env['HTTP_X_REMOTE_USER']

Related

Access django url without apache http basic authentication

I'm working on a Django 3.2 project which is hosted using Apache 2.4 server. The user authentication in this project is handled using HTTP Basic Authentication configured using LDAP.
I have implemented a sign up feature for new users. For that I have created the necessary form, view, template and url pattern in the Django project. The urlpattern to visit the sign up form is /signup.
My goal is to make the sign up urlpattern accessible to anyone i.e. prevent the Basic Authentication from showing when the sign up urlpattern is requested by user in the browser.
JFI, the complete Apache configuration is already complete and works already.
To achieve this, I have used the "LocationMatch" directive in the Apache configuration within the VirtualHost directive:
...
<LocationMatch "^/signup$">
Require all granted
</LocationMatch>
...
With this the Basic Authentication is removed when /signup URI is requested, but the server always redirects to another url which ultimately requires authentication hence giving the basic auth pop-up.
$ curl -I https://*****.com/signup
HTTP/1.1 302 Found
...
I have tried to redirect the request explicitly to /signup whenever the is /signup. This ends up in an endless loop of redirections.
RewriteEngine on
...
RewriteRule ^/signup$ /signup [R=301,L]
I have also tried other ways by setting environment variables within Apache configuration, I have restarted Apache whenever a change was done in config, I have cleared browser cache etc., but nothing seems be working.
FYI, I can access the /signup url successfully after logging into the application which is not useful for me.
I'm afraid I cannot share the complete source (apache config, django source etc.) here as the project is not completely open source yet. But I'm sure your suggestions would surely help me in some way.
I want to fix the redirection. I have no clue what I'm missing out here.

IIS 7.5 : URL Rewrite extension is Installed, but not shown (even after reboot)

In IIS version 7.5.7600.16385, I'm trying to redirect requests for example.com/* to www.example.com/*.
For example, if requests comes in like these:
http://example.com/ContactUS/
http://example.com/Donations/
I want IIS to redirect to these URLs:
http://www.example.com/ContactUS/
http://www.example.com/Donations/
So, as you can see, my goal is not to redirect all requests to the same static URL path. Instead, I'm trying to simply change the domain to the www subdomain while keeping the URL path intact for each redirect.
I've read articles that advise using an IIS extension called URL Rewrite.
However, when I try to install this extension the installer claims it is already installed, and even after a reboot, the URL Rewrite feature is not shown anywhere in IIS 7.5.7600.16385.
The only thing I can think of, that may be causing me not to see the URL Rewrite extension (in IIS), is that I do recall installing PHPManagerForIIS_V1.5.0.msi onto this same server several years ago. Maybe PHPManagerForIIS_V1.5.0 somehow overrides the URL Rewrite extension if you have it installed. I don't know.
Please advise if you know of a way I can accomplish my goal of dynamically redirecting all requests to their respective www canonical address, while keeping the URL path intact.

Deploy Django REST API to api.example.com: Apache 2.2, mod_wsgi and mod_rewrite

I have been searching for information on this topic for a couple days and I keep running into road blocks.
I have a Django web site and application running at www.example.com and I'm forcing HTTPS. It's deployed on Apache 2.2 with WSGI. This works fine and works for both example.com and www.example.com.
I also have a REST API (pip install djangorestframework) running at https://www.example.com/api/v1/. This also works fine.
I want to run the API from a subdomain https://api.example.com and keep this URL in the address bar. For example, to fetch JSON objects I might use something like this:
curl -X GET https://api.example.com/objects/ -H 'Authorization: Token xxx'
I can get this now by using this:
curl -X GET https://www.example.com/api/v1/objects/ -H 'Authorization: Token xxx'
I have a separate SSL certificate for this subdmain and his has been correctly configured.
I have tried many things in my Apache configuration to accomplish this but failed at every turn. I thought I could use mod_rewrite to silently fetch the content from https://www.example.com/api/v1/ while leaving https://api.example.com in the address bar. Is this possible? Here is what I've tried (in the sites-available virtual host file):
RewriteEngine on
RewriteCond %{HTTP_HOST} ^api.example.com [NC]
RewriteRule ^(.*)$ https://www.example.com/api/v1/$1 [L]
I have tried several variations of this idea to no avail. I played around with HTTPS on/off as well with no real benefit.
I read a couple places that using mod_proxy could accomplish this but when I went down this road, the API was available (after quite a bit of tweaking) at the desired URL (https://api.example.com) but none of my static content was there and when I clicked on a relative link in the Django REST Framework UI, I'd get 404s because it was looking at:
https://api.example.com/api/v1/
which Django complained about: /api/v1/api/v1/
I guess all I'm trying to do is make https://api.example.com the base URL for the API as if it were https://www.example.com/api/v1/.
Duplicate that lead to the discovery of the django-hosts package:
Django subdomain configuration for API endpoints
I have been playing around with this and it shows promise, although I haven't "solved" my problem yet. I plan to edit this answer once I get more information to share. In the meantime, if anyone has used django-hosts to approach my original question, please add your answers here or at least make some comments!

Running the django admin over https using apache2

I have a django web application that's running on apache 2.2.14 and I want to run the admin application over https.
Having read considerable discussions on using a proxy, writing middleware, running alternative wsgi scripts, the chaps in #httpd came to my rescue. The solution is so simple, I was surprised I didn't find it online, so I'm curious to see if I've made some glaring assumptions or errors.
One complication was that I also wanted to run one of my django apps in the site over https, that is everything on /checkout.
Essentially, if a user requests a URI starting with /admin or /checkout on http, they are to be redirected to that URI but on https. Conversely, if a user requests a URI that does not start with /admin or /checkout on https, they are to be redirected to that URI but on http.
The key to solving this problem was to use Redirect and RedirectMatch directives in my VirtualHost configuration.
<VirtualHost *:80>
... host config stuff ...
Redirect /admin https://www.mywebsite.com/admin
Redirect /checkout https://www.mywebsite.com/checkout
</VirtualHost>
<VirtualHost *:443>
... ssl host config stuff ...
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
</VirtualHost>
Another approach is to use #secure_required decorator. This will automatically rewrite the requested url and redirect to https://... version of the URL. Then you don't have to have Redirect in *:80 configuration. *:443 configuration may still be required for performance purpose if you want other traffic to go through normal http traffic.
I tried your solution, but ran into several problems. First, the formatting on the admin site disappeared, as if it could not find the admin static files. Second, if I tried to reach the non-admin site through https, the browser would not find it and redirect me to Yahoo search. Oddly, if I edited the yahoo search URL to eliminate all text except my correct URL (minus the http://), it would continue to search through yahoo for my site. However, typing the exact same URL afresh sent me to my site.
I solved all of these issues by simply removing the
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
directive.
I should mention that I don't have a /checkout section on my site and am only trying to secure /admin. ... and yes, I did substitute my URL for "mywebsite.com"
What you described should work, but there may be a problem in the future if you need to make changes to which paths are/are not HTTPS. Because this method requires the ability to correctly modify the Apache config file it means you do not want novices in the loop. Screw up the config file and your site can go 500-error in the blink of an eye.
We chose to have a simple text file that had a list of the must-be-HTTPS paths. Anyone on the project can edit it and it is checked for correctness when it is loaded. We handle any needed redirects to/from HTTPS in middleware and it seems to work just fine. This method will also work if you are running anything other than Apache.

Coldfusion 8: Firefox can't establish a connection to the server at 127.0.0.1:8500

I installed Coldfusion 8 trial version on my system (XP Professional sp3).
I created an Folder in the “C:/Coldfusion8/wwwroot” called “buildProject” containing an Index.cfm and some other .cfm files.
But I am unable to access the Neither my project files or CFIDE/Administrator
I tried the following URLS
http://localhost:8500/wwwroot/buildProject/
http://localhost:8500/CFIDE/administrator/index.cfm
http:// 127.0.0.1:8500/wwwroot/buildProject/
http:// 127.0.0.1:8500/CFIDE/administrator/index.cfm
http://localhost /wwwroot/buildProject/index.cfm
http://localhost /CFIDE/administrator/index.cfm
http://localhost /wwwroot/buildProject/
http://localhost /CFIDE/administrator/index.cfm
Firefox can't establish a connection to the server at 127.0.0.1:8500.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
• I cleared the browsing “History” from both IE and FF.
• I have restarted the CF server in the Control Panel >Administrative Tools > Services
• Even restarted the IIS
Getting the same error.
Further I was trying to access IE/FF via CFbuilder But still I am getting the error
“The connection was refused when attempting to contact [URL].”
If you connected Coldfusion to IIS, then you probably need to connect on port 80. Which you did try, but if you connected Coldfusion to IIS, then the document root is IIS's document root, not the document root you created your new directory in.
I believe the document root for IIS on XP is c:\inetpub\wwwroot.
So, try putting a test.cfm file in there that just contains "hello world" or something, and see if you can request it from there.
Hopefully you installed IIS first and were happy it was working before installing CF.
Try connecting to your IIS on http://localhost
You should get the default IIS .htm landing page , probably index.html or something, so at least you know IIS is working fine.
If you then try http://localhost/nosuchpage.htm you will see a 403 error (as long as you didnt specify to allow directory browsing). In the standard IIS error page you should be able to see
Physical Path D:\inetpub\wwwroot
or wherever IIS thinks your web root is. When you then install CF to use IIS (rather than standalone) it will use this path as your web root.
Rename your index.html file as index.cfm and connect to it on
http://localhost:8500/index.cfm
If vanilla html pages are working from the directory but .cfm pages are not then you probably need an CFIDE mapping (I think one quick workaround is simply to copy your CFIDE folder and drop it into web root).
What happens if you try typing this in as a url:
http://{your i.p. address}:8500/CFIDE/administrator/index.cfm
I bet it works