Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Users
Providing a REST API from behind Apache/FastCGI?
dan at tangledhelix
Nov 8, 2013, 12:54 PM
Post #1 of 5 (2954 views)
Permalink
I have begun development of a RESTful API (using Catalyst::Controller::REST), intending to authenticate with basic HTTP authentication. Using the myproject_server.pl debug server, everything works fine. I send the GET, an Authorization: and an Accept: header, and I get a 200 response followed by JSON result.

When I move this from dev to test, which means it goes behind mod_fastcgi, it stops working. Every request gets back 401 Unauthorized. As far as I can tell, the Authorization header is not being passed through to Catalyst.

Note that my main interactive application uses HTML form auth and cookies/sessions, so this is our first use case involving HTTP basic authentication.

Things I have already tried:

1. "Adding -pass-header Authorization" to the FastCgiExternalServer parameter in httpd.conf

tcpdump tells me that the "Authorization: Basic xxxxxxx" is being sent to the server on port 4900, but it never actually gets through to where my req object can use it, e.g. $c->req->header('Authorization') is undef.

2. Rewriting the Authorization header as an env var

RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]

This turns out not to help because the environment seen by the fastcgi server is that of the user who started it, not the environment Apache is running in. Dumping the contents of %ENV shows that this env var is not available to Catalyst.

3. SSLOptions +StdEnvVars

See #2, it sets env vars in the wrong environment.

Has anyone had this problem and knows of some solution? I'm out of ideas at this point...

Thanks,
Dan


_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: Providing a REST API from behind Apache/FastCGI? [ In reply to ]
toby at dryft
Nov 10, 2013, 4:44 PM
Post #2 of 5 (2904 views)
Permalink
On 9 November 2013 07:54, Dan Lowe <dan@tangledhelix.com> wrote:
> When I move this from dev to test, which means it goes behind mod_fastcgi, it stops working. Every request gets back 401 Unauthorized. As far as I can tell, the Authorization header is not being passed through to Catalyst.
>
> Has anyone had this problem and knows of some solution? I'm out of ideas at this point...

I know this isn't very helpful, but have you tried switching to using
apache (or preferably nginx) to reverse-proxy through to starman,
rather than using FastCGI? I think that's the current "best practice"
and would prove more reliable. At the very least, it provides more
ways to inspect and debug what is going on. If you're out of ideas, it
might be quicker to just give up on fastcgi and move on.

_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: Providing a REST API from behind Apache/FastCGI? [ In reply to ]
brainbuz at brainbuz
Nov 11, 2013, 12:51 PM
Post #3 of 5 (2886 views)
Permalink
Newer versions of apache make some security changes
so apache, even though you don't think any access control is being
applied on the server side,
might be blocking it by default (although that should be a 403 rather
than 401).

You could try a block like this:

<Location /uri_for/my/app.fcgi>
Order Allow,Deny
Allow From All
Satisfy Any
</Location>

I wrote an article on deploying starman with apache in the 2011
catalyst advent calendar, with some errata on my blog, you might want to
consider switching, although you would still run afoul of tighter apache
defaults if that is indeed your problem.

On 2013-11-08 15:54, Dan Lowe wrote:
> I have begun development of a RESTful API (using
> Catalyst::Controller::REST), intending to authenticate with basic
> HTTP
> authentication. Using the myproject_server.pl debug server,
> everything
> works fine. I send the GET, an Authorization: and an Accept: header,
> and I get a 200 response followed by JSON result.
>
> When I move this from dev to test, which means it goes behind
> mod_fastcgi, it stops working. Every request gets back 401
> Unauthorized. As far as I can tell, the Authorization header is not
> being passed through to Catalyst.
>
> Note that my main interactive application uses HTML form auth and
> cookies/sessions, so this is our first use case involving HTTP basic
> authentication.
>
> Things I have already tried:
>
> 1. "Adding -pass-header Authorization" to the FastCgiExternalServer
> parameter in httpd.conf
>
> tcpdump tells me that the "Authorization: Basic xxxxxxx" is being
> sent to the server on port 4900, but it never actually gets through
> to
> where my req object can use it, e.g. $c->req->header('Authorization')
> is undef.
>
> 2. Rewriting the Authorization header as an env var
>
> RewriteCond %{HTTP:Authorization} ^(.+)
> RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
>
> This turns out not to help because the environment seen by the
> fastcgi server is that of the user who started it, not the
> environment
> Apache is running in. Dumping the contents of %ENV shows that this
> env
> var is not available to Catalyst.
>
> 3. SSLOptions +StdEnvVars
>
> See #2, it sets env vars in the wrong environment.
>
> Has anyone had this problem and knows of some solution? I'm out of
> ideas at this point...
>
> Thanks,
> Dan
>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/


_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: Providing a REST API from behind Apache/FastCGI? [ In reply to ]
dan at tangledhelix
Nov 11, 2013, 7:50 PM
Post #4 of 5 (2886 views)
Permalink
On Nov 11, 2013, at 3:51 PM, brainbuz <brainbuz@brainbuz.org> wrote:

> Newer versions of apache make some security changes
> so apache, even though you don't think any access control is being applied on the server side,
> might be blocking it by default (although that should be a 403 rather than 401).
>
> You could try a block like this:
>
> <Location /uri_for/my/app.fcgi>
> Order Allow,Deny
> Allow From All
> Satisfy Any
> </Location>

That did not work unfortunately... but I have found that the data I need is available in $c->engine->env->{Authorization}, so I'll see what I can do with that.

I'll also look at starman and see if that improves things.

Thanks,
Dan


>
> I wrote an article on deploying starman with apache in the 2011 catalyst advent calendar, with some errata on my blog, you might want to consider switching, although you would still run afoul of tighter apache defaults if that is indeed your problem.



_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: Providing a REST API from behind Apache/FastCGI? [ In reply to ]
jjn1056 at yahoo
Nov 14, 2013, 5:17 AM
Post #5 of 5 (2869 views)
Permalink
Sent from my iPhone

> On Nov 11, 2013, at 9:50 PM, Dan Lowe <dan@tangledhelix.com> wrote:
>
>
>> On Nov 11, 2013, at 3:51 PM, brainbuz <brainbuz@brainbuz.org> wrote:
>>
>> Newer versions of apache make some security changes
>> so apache, even though you don't think any access control is being applied on the server side,
>> might be blocking it by default (although that should be a 403 rather than 401).
>>
>> You could try a block like this:
>>
>> <Location /uri_for/my/app.fcgi>
>> Order Allow,Deny
>> Allow From All
>> Satisfy Any
>> </Location>
>
> That did not work unfortunately... but I have found that the data I need is available in $c->engine->env->{Authorization}, so I'll see what I can do with that.

Just FYI but ->env is attached to the request obj in more modern versions of catalyst. You might want to write a bit of wrapper logic there to check on then the other such as to ease any future upgrades

Jnap

> I'll also look at starman and see if that improves things.
>
> Thanks,
> Dan
>
>
>>
>> I wrote an article on deploying starman with apache in the 2011 catalyst advent calendar, with some errata on my blog, you might want to consider switching, although you would still run afoul of tighter apache defaults if that is indeed your problem.
>
>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/

_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal