Re: [dancer-users] Apache environment in FCGI app
I didn't get any responses here or on IRC so I'm posting the solution I went with to get it archived.
Keith Lawson 11/29/13 10:22 AM >>> Hello,
I'm working on my first Dancer application and want to deploy it in our standard server environment here.
For authentication/authz we have custom mod_perl auth handlers that set Apache environment variables with user ID, group membership etc. >I'm trying to write an implementation of Dancer::Plugin::Auth::Extensible::Provider that does auth/authz by reading those environment variables however %ENV isn't populated in my Dancer app. Looking at the source of public/dispatch.fcgi I noticed the following:
# For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. set apphandler => 'PSGI'; set environment => 'production';
Can anyone tell me if it's possible to get %ENV through to my Dancer app or perhaps a different approach for auth/authz that uses $ENV{REMOTE_USER} and our custom Apache environment variables?
I never did get FCGI to work so I tried regular CGI, here's my apache config for my app: SetEnv DANCER_ENVIRONMENT "development" <Directory "/var/dancerdev/filesafe"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AddHandler cgi-script .cgi </Directory> ScriptAlias /filesafe /var/dancerdev/filesafe/public/dispatch.cgi This works but I had to comment out where %ENV keys were explicitly set in dispatch.cgi so that the Apache conf directives for dev/prod environment worked properly: --- dispatch.cgi.dist 2013-12-05 09:21:35.917592251 -0500 +++ dispatch.cgi 2013-12-05 09:20:06.912736198 -0500 @@ -6,8 +6,8 @@ # For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. -set apphandler => 'PSGI'; -set environment => 'production'; +# set apphandler => 'PSGI'; +# set environment => 'production'; my $psgi = path($RealBin, '..', 'bin', 'app.pl'); die "Unable to read startup script: $psgi" unless -r $psgi; My first crack at doing Dancer auth/authz was to write a provider for Dancer::Plugin::Auth::Extensible with subs that rely on %ENV like this: sub authenticate_user { my ($self, $username, $password) = @_; return $ENV{REMOTE_USER}; } However I couldn't figure out why $ENV{REMOTE_USER} wasn't getting to the plugin so I gave up. I just ended up protecting portions of my new app with a <Location> stanza using our Apache2::AuthCookie auth handlers: <Location /filesafe/priv> order allow,deny allow from all AuthType Site::LDAPCookieHandler2 AuthName dancerdev PerlAuthenHandler Site::LDAPCookieHandler2->authenticate PerlAuthzHandler Site::LDAPCookieHandler2->authorize require valid-user satisfy all </Location> Then in my dancer app I protect portions like this: get '/priv/hello' => sub { die unless $ENV{REMOTE_USER}; return "Hi there ".$ENV{REMOTE_USER}; }; This won't solve authorization for me but I won't have a need for this in this app.
Thanks, Keith.
-------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.
Hi Keith, Have you tried 'PerlSetupEnv On' in the apache conf. I couldn't get %ENV using Dancer2 in mod_perl until I set this. I couldn't get CGI/FCGI to work properly with Dancer2 (they set up their own service on port 3000 instead of staying inside the CGI). Regards, Matt On 6/12/2013 5:22 am, Keith Lawson wrote:
I didn't get any responses here or on IRC so I'm posting the solution I went with to get it archived.
Keith Lawson 11/29/13 10:22 AM >>> Hello,
I'm working on my first Dancer application and want to deploy it in our standard server environment here.
For authentication/authz we have custom mod_perl auth handlers that set Apache environment variables with user ID, group membership etc. >I'm trying to write an implementation of Dancer::Plugin::Auth::Extensible::Provider that does auth/authz by reading those environment variables however %ENV isn't populated in my Dancer app. Looking at the source of public/dispatch.fcgi I noticed the following:
# For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. set apphandler => 'PSGI'; set environment => 'production';
Can anyone tell me if it's possible to get %ENV through to my Dancer app or perhaps a different approach for auth/authz that uses $ENV{REMOTE_USER} and our custom Apache environment variables?
I never did get FCGI to work so I tried regular CGI, here's my apache config for my app:
SetEnv DANCER_ENVIRONMENT "development"
<Directory "/var/dancerdev/filesafe"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AddHandler cgi-script .cgi </Directory>
ScriptAlias /filesafe /var/dancerdev/filesafe/public/dispatch.cgi
This works but I had to comment out where %ENV keys were explicitly set in dispatch.cgi so that the Apache conf directives for dev/prod environment worked properly:
--- dispatch.cgi.dist 2013-12-05 09:21:35.917592251 -0500 +++ dispatch.cgi 2013-12-05 09:20:06.912736198 -0500 @@ -6,8 +6,8 @@ # For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. -set apphandler => 'PSGI'; -set environment => 'production'; +# set apphandler => 'PSGI'; +# set environment => 'production';
my $psgi = path($RealBin, '..', 'bin', 'app.pl'); die "Unable to read startup script: $psgi" unless -r $psgi;
My first crack at doing Dancer auth/authz was to write a provider for Dancer::Plugin::Auth::Extensible with subs that rely on %ENV like this:
sub authenticate_user { my ($self, $username, $password) = @_; return $ENV{REMOTE_USER}; }
However I couldn't figure out why $ENV{REMOTE_USER} wasn't getting to the plugin so I gave up.
I just ended up protecting portions of my new app with a <Location> stanza using our Apache2::AuthCookie auth handlers:
<Location /filesafe/priv> order allow,deny allow from all AuthType Site::LDAPCookieHandler2 AuthName dancerdev PerlAuthenHandler Site::LDAPCookieHandler2->authenticate PerlAuthzHandler Site::LDAPCookieHandler2->authorize require valid-user satisfy all </Location>
Then in my dancer app I protect portions like this:
get '/priv/hello' => sub { die unless $ENV{REMOTE_USER}; return "Hi there ".$ENV{REMOTE_USER}; };
This won't solve authorization for me but I won't have a need for this in this app.
Thanks, Keith.
-------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation. _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Matt Mallard 12/05/13 3:45 PM >>> Hi Keith,
Have you tried 'PerlSetupEnv On' in the apache conf. I couldn't get %ENV using Dancer2 in mod_perl until I set this.
I couldn't get CGI/FCGI to work properly with Dancer2 (they set up their own service on port 3000 instead of staying inside the CGI).
Actually I saw your thread earlier in the week about this so took a look at "PerlSetupEnv". Unless I'm mistaken that's a mod_perl directive and the way I have my app configured using CGI it won't make a difference. With my current configuration %ENV makes it to my dancer code, it's just not making it to my implementation of a Dancer::Plugin::Auth::Extensible provider in tact. A dump shows a lot of %ENV keys get there but $ENV{REMOTE_USER} is gone for some reason and that's the key I rely on to ensure the Apache::AuthCookie authentication handlers have logged the user in.
Regards, Matt On 6/12/2013 5:22 am, Keith Lawson wrote:
I didn't get any responses here or on IRC so I'm posting the solution I went with to get it archived.
Keith Lawson 11/29/13 10:22 AM >>> Hello,
I'm working on my first Dancer application and want to deploy it in our standard server environment here.
For authentication/authz we have custom mod_perl auth handlers that set Apache environment variables with user ID, group membership etc. >I'm trying to write an implementation of Dancer::Plugin::Auth::Extensible::Provider that does auth/authz by reading those environment variables however %ENV isn't populated in my Dancer app. Looking at the source of public/dispatch.fcgi I noticed the following:
# For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. set apphandler => 'PSGI'; set environment => 'production';
Can anyone tell me if it's possible to get %ENV through to my Dancer app or perhaps a different approach for auth/authz that uses $ENV{REMOTE_USER} and our custom Apache environment variables?
I never did get FCGI to work so I tried regular CGI, here's my apache config for my app:
SetEnv DANCER_ENVIRONMENT "development"
AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AddHandler cgi-script .cgi
ScriptAlias /filesafe /var/dancerdev/filesafe/public/dispatch.cgi
This works but I had to comment out where %ENV keys were explicitly set in dispatch.cgi so that the Apache conf directives for dev/prod environment worked properly:
--- dispatch.cgi.dist 2013-12-05 09:21:35.917592251 -0500 +++ dispatch.cgi 2013-12-05 09:20:06.912736198 -0500 @@ -6,8 +6,8 @@ # For some reason Apache SetEnv directives dont propagate # correctly to the dispatchers, so forcing PSGI and env here # is safer. -set apphandler => 'PSGI'; -set environment => 'production'; +# set apphandler => 'PSGI'; +# set environment => 'production';
my $psgi = path($RealBin, '..', 'bin', 'app.pl'); die "Unable to read startup script: $psgi" unless -r $psgi;
My first crack at doing Dancer auth/authz was to write a provider for Dancer::Plugin::Auth::Extensible with subs that rely on %ENV like this:
sub authenticate_user { > my ($self, $username, $password) = @_; > return $ENV{REMOTE_USER}; > } > > However I couldn't figure out why $ENV{REMOTE_USER} wasn't getting to the plugin so I gave up. > > I just ended up protecting portions of my new app with a stanza using our Apache2::AuthCookie auth handlers: > > > order allow,deny > allow from all > AuthType Site::LDAPCookieHandler2 > AuthName dancerdev > PerlAuthenHandler Site::LDAPCookieHandler2->authenticate > PerlAuthzHandler Site::LDAPCookieHandler2->authorize > require valid-user > satisfy all > > > Then in my dancer app I protect portions like this: > > get '/priv/hello' => sub > { > die unless $ENV{REMOTE_USER}; > return "Hi there ".$ENV{REMOTE_USER}; > };
This won't solve authorization for me but I won't have a need for this in this app.
Thanks, Keith.
-------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation. _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
_______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
-------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation.
participants (2)
-
Keith Lawson -
Matt Mallard