All geek questions in one place

How to deploy multiple Rack / Sinatra applications using Passenger (on Apache) with basic HTTP authentication?

The problem here is that multiple instances of the same Sinatra (Rack) application deployed in Passenger + Apache on different subsets of URIs with the basic HTTP protocol to prevent unwanted access:

I have 4 instances of a Sinatra application deployed in my domain, like:

  • example.com/private/foo
  • example.com/private/moo
  • ...
  • ...

Access to all of them is protected by basic HTTP authentication using the Rack::Auth::Basic middleware. config.ru for all of them is as follows:

 # ... users = {'user' => 'password'} use Rack::Auth::Basic, 'realm' do |username, password| users.key?(username) && users[username] == password end run MyApp

The only thing that changes from one config.ru to another is the "kingdom" parameter.

Now the problem is that as soon as I enter one of the applications, say private/foo , Chrome does not ask me for a username and password for other applications ( private/moo , etc.). This is inconsistent because all instances are uniquely identified by their URLs. Using different credentials for each instance does work, but shouldn't Chrome request credentials at least once for each instance? One thing that I noticed is that the first time I log into one of the Chrome instances, it says: "The server on example.com:80 requires a username and password." I would expect: "The resource example.com/private/foo requires a username and password." Doesn't that mean it should work?

I checked the Rack::Auth::Basic source code and Wikipedia article on HTTP Basic Auth and did not come up with anything to help my case: (.

+4
source share
1 answer

In basic authentication, the realm parameter is not sent back to the server. Thus, the server cannot check whether the client sends an authorization header for the same area or not. It depends on the customer. The correct implementation of basic HTTP authentication. So:

Now the problem is that as soon as I enter one of the applications, say private / foo, Chrome does not ask me for the username and password for other applications (private / moo, etc.). This is contrary to intuition, since all instances are uniquely identified by their URLs.

As Andrew noted, and clearly from the RFC, the URL does not play a role here. But if '/ foo' is protected, '/ foo / moo' is protected in the same area.

Using different credentials for each instance does work, but shouldn't request Chrome credentials at least once for each instance?

On the sidelines, what happens (when checking with the debugger tools) is that after I registered once in one of the applications, say private / foo, Chrome re-sends the same authorization header to others applications, say moo, without prior request.

The RFC says that the client can send the appropriate authorization header for the area without first requesting the server.

It seems that Chrome applies to all my applications located in the same area or forwarding the same authorization header in different areas. I do not think this is the expected behavior, but I could have missed something. Firefox behaves the same. In any case, this was not the essence of the matter.

Question topic: "How do I get Chrome to ask me for a username and password at least once for each instance? Basic auth does not work as I expected, why?"

Use digest authentication (RFC 2617 again). Rack implements a version of the MD5 algorithm in Rack::Auth::Digest::MD5 . Set different opaque for each instance, and you are good to go:

 # ... realm = "Description of the protected area." opaque = "Secret key that uniquely identifies a realm." users = {'user' => 'password'} use Rack::Auth::Digest::MD5, realm, opaque do |username| users[username] end

opaque sent back by the client and can be verified on the server side that the authorization request is for the correct resource. The work of realm seems to be a descriptor in nature - what area or resource are you trying to protect? what id will i blink?

RFC: http://tools.ietf.org/html/rfc2617

+2
source

Source: https://habr.com/ru/post/1396062/

More articles:


All Articles