Thin over HTTP and REMOTE_USER/AUTH_USER

[beau Profile]

Is there anyway to get IIS to set REMOTE_USER or AUTH_USER when using helicon zoo to serve rails apps using thin over http?.

With windows authentication enabled the "HTTP_AUTHORIZATION"=>"Negotiate " header is passed through to thin. It looks like thin is running behind a proxy in this configuration, so it would be impossible to have thin actually use that information.

It would be great if IIS/the thin task could set either REMOTE_USER or AUTH_USER for the rails app. Thus allowing me to have IIS authenticate the user, rather than doing this inside the rails app.

[HeliconAndrew]

hello,

That's for the idea! In the mean time you ,ay try using RewriteHeader from Ape or ISAPI_rewrite instead.

Regards
Andrew

[beau Profile]

Thanks for your response andrew.

How would I accomplish this?. From what I can glean helicon zoo is reverse proxying the rails requests to an instance of thin it spins up on its own.

I'm using the web.config obtained from the helicon zoo page, but obviously running the handler for "Ruby 1.9 over HTTP, using thin as a back-end application server".

I've got the feeling this handler is doing url-rewritey things on it's own, would I be able to add the entry in the sites web.config file?

[HeliconAndrew]

This issue can not be done in web.config solely. You need either ISAPI_Rewrite or Ape. Although we're going to make this possible for Zoo in the nearest future(couple weeks).

Currently you may use either Ape or ISAPI_Rewrite and see the following documentation in ISAPI_rewrite or Ape regarding the syntax of RewriteHeader directive.


Regards
Andrew

[beau Profile]

All these variables are now set in the latest version of Zoo!

Absolutely fantastic!. I can now get the users name from rails!, (and no doubt this applies to any other frameworks you want to run behind IIS!)

[HeliconAndrew]

Yes, the variables are set now. In case there're any issues keep us posted, we'll be happy to assist.

Regards
Andrew

[johnjeni33 Profile]

I was not able to get the user name passed from cosign to any services running with mod_proxy. Specifically I was testing on a rails app running on Thin and when dumping the environment variables nothing containing the user was present.However I'd found this module this module which did make all of this work (mod-proxy-add-user). [1] It describes the header for REMOTE_USER not being set in the right phase. I didn't know what this meant, but it got it all to work. Would be nice to not need this extra module.

[pocams Profile]

I'm trying to use this functionality with Python and WSGI under Server 2008, but I'm seeing the same thing beau was - no REMOTE_USER in the environment and a long Authorization: Negotiate header. The authentication does seem to be working on the IIS side. Is there a setting I have to change?

Thanks,
Mark

[stinklyonion Profile]

All these variables are now set in the latest version of Zoo!

Absolutely fantastic!. I can now get the users name from rails!, (and no doubt this applies to any other frameworks you want to run behind IIS!)

Absolutely right. Haven't got any problems getting users name from the rails.