Develop Reference

Apache + PHP-FPM Set proxy timeout only to specific path

I have Apache 2.4 with PHP 5.5 without using php_mod but with PHP-FPM and mod_proxy_fcgi, so I added the following to the vhost:
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
This worked well but when I had some problems with timeouts I added the following code in order to fix this issue to the vhost file:
<Proxy fcgi://127.0.0.1:7000>
ProxySet timeout=3600
</Proxy>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
However, I would like to add this timeout only to the administration panel of the website, which is www.site.com/admin/xxx. I tried to add the location tag like below, but it didn't worked (Apache fails when restarting).
<LocationMatch ^/admin/.*\.php(/.*)?$>
<Proxy fcgi://127.0.0.1:7000>
ProxySet timeout=3600
</Proxy>
</LocationMatch >
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
First of all, is that possible? Then which would be the correct syntax?
Many thanks for your time

Just use the Proxy wildcard with /admin/*
While this will allow ANY script beneath admin to run with the settings defined, behind an admin (and I assume login) wall, it shouldn't be an issue.
<Proxy "fcgi://127.0.0.1:7000/home/var/www/site/admin/*">
ProxySet timeout=3600
</Proxy>
Use ProxySet outside of a Proxy directive
ProxySet within a Proxy directive can be used without defining the url/balancer/worker. But, you should still be able to use ProxySet within a Location directive.
<LocationMatch ^/admin/.*\.php(/.*)?$>
ProxySet "fcgi://127.0.0.1:7000" timeout=3600
</LocationMatch>
If apache is still failing on startup, check the apache logs, or run strace -Ff apachectl start to find the problem, it may just be a bug in that version of apache.
However, I strongly suspect your LocationMatch regex ^/admin/.*\.php(/.*)?$ to be the cause of the apache failure.

Google authentication for Gerrit and Jenkins

Jenkins and Gerrit have both plugins for OpenID 2.0, but this API has been deprecated by Google May 19 2014 (https://developers.google.com/accounts/docs/OpenID) making it impossible for new installation to use and existing installations must migrate to OAuth2.0(OpendID connect). When trying to use OpenID 2.0 you will get the error message "Error 400: OpenID auth request contains an unregistered domain".
The Gerrit team is aware of the problem but no solution as of yet:
https://code.google.com/p/gerrit/issues/detail?id=2677
Not sure about Jenkins.

Update 2014/11/05: For those coming here the first place read on below. Thanks hans-zandbelt for the feedback. It is incorporated in the updated version. The setup now uses the suggested improvements and only uses mod_rewrite to redirect the gerrit logout url to the right place. Also note that instead of only using the non-domain part of the email the email is used unmodified. This means that if you happen to have an existing setup you need to change username mappings.
For Jenkins do the following:
move ${jenkins_home}/users/youruser to ${jenkins_home}/users/youruser#yourdomain
open ${jenkins_home}/config.xml search "youruser" and replace with youruser#yourdomain
For Gerrit:
either on the machine itself (change GERRIT_HOME to where it is on your machine):
open the sql database with one of the two methods below:
[Recommended] Either through the gerrit command available through ssh:
ssh gerrit.revault.ch gerrit gsql
OR on the machine itself (change GERRIT_HOME to where it is on your machine):
export GERRIT_HOME=/var/gerrit_home
pushd ${GERRIT_HOME}
java -cp $(find . -name "h2*.jar") org.h2.tools.Shell -url "jdbc:h2:file:${GERRIT_HOME}/db/ReviewDB;IFEXISTS=TRUE"
show external
select * from ACCOUNT_EXTERNAL_IDS;
the external ids map your account to different usernames, emails etc.
the ones prefixed with username: e.g. username:test#example.com are for ssh / git login names
the ones prefixed with gerrit: e.g. gerrit:test#example.com are used for the web interface
for a given account_id you can just add new mappings for existing users using sql: e.g.
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'username:test#example.com');
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'gerrit:test#example.com');
Solution
You can use an Apache as a reverse proxy handling authentication for you:
Gerrit
Assuming you already have installed Gerrit and it is listening on address 10.10.10.10:8080.
You will have to configure gerrit to use basic authentication, the [auth] section in your
${gerrit_installation}/etc/gerrit.config should look like this:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}#example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
The username will be in the header X-Forwarded-User. That's how Apache will forward the username
to Gerrit.
On Apache we will use mod_auth_openidc which has support for oauth2. For further information and
example docs refer to https://github.com/pingidentity/mod_auth_openidc. On a recent Ubuntu the installation
looks like this:
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
You will need to add a site configuration e.g. gerrit.conf similar to the one below (you probably want TLS, too) to /etc/apache2/sites-available and activate it with:
sudo a2ensite gerrit.conf
The file /etc/apache2/sites-available/gerrit.conf looks like this:
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
In order to get the parameters OIDCClientID and OIDCClientSecret go to the api console under https://console.developers.google.com/project. The credentials are in the context of a project if you haven't one create a project first. E.g. example-it-authentication
On the project go to APIs & auth:
Under APIs activate Google+ API.
Under Credentials, OAuth create new Client ID.
Fill in OIDCClientID and OIDCClientSecret in your apache config (e.g. gerrit.conf)
Under Consent screen fill in email and product name (you will get an error if you don't)
service apache2 restart
You should be done!
Jenkins
Assuming you already have installed Jenkins and it is listening on 10.10.10.11:8080.
For Jenkins the configuration is almost identical. You will need to install and activate the Reverse Proxy Auth Plugin http://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin. Under Configure Global Security check the "HTTP Header by reverse proxy" radio.
The default values correspond to the configuration below. You will need to create credentials matching the jenkins hostname in the api console https://console.developers.google.com/project. Report them to your config as before (e.g. jenkins.conf). That should be all.
<VirtualHost *:80>
ServerName jenkins.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://jenkins.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
ProxyPass / http://jenkins.example.com:8080/ nocanon
ProxyPassReverse / http://jenkins.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://jenkins.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
<Location ~ "^/(cli|jnlpJars|subversion|whoAmI|computer/[^/]+/slave-agent.jnlp|tcpSlaveAgentListener)">
Satisfy Any
Allow from all
</Location>
</VirtualHost>
Currently there doesn't seem to be support for groups in mod_auth_openidc. If you need groups you can install an LDAP that stores them (but this probably isn't what you want since you are using Google auth) or wait until it is supported by mod_auth_openidc.

Google's OpenID 2.0 has been superseded by OpenID Connect. The Apache module mod_auth_openidc implements OpenID Connect so it can be used in a reverse proxy that fronts Gerrit/Jenkins as described by revau.lt.
However, be aware that relying on the non-domain part of an e-mail address as a unique identifier is insecure unless you restrict logins to a specific domain using the following two configuration settings:
OIDCAuthRequestParams hd=example.com
to skip Google's account chooser screen, and in the <Location> section:
Require claim hd:example.com
to restrict access to only users from the example.com Google domain. If your application is open to any Google account you should not use the e-mail prefix as the primary identifier because you run the collision risk that users in different domains have the same user prefix.
That is why it is better to rely on the full e-mail address, e.g.
OIDCRemoteUserClaim email
or the (opaque) primary identifier that Google uses in the sub claim, e.g.:
OIDCRemoteUserClaim sub
Furthermore, instead of rewriting claims in to headers you can just use:
OIDCAuthNHeader X-Forwarded-User
Migration from OpenID 2.0 to OpenID Connect (retaining OpenID 2.0 user identifiers) is possible to, as described here and here, so you'd use:
OIDCAuthRequestParams openid.realm=<urlencoded-realm-value>
OIDCRemoteUserClaim openid_id
For an exhaustive overview of configuration primitives see: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf

As I know the fastest way to login into Gerrit with Google account is:
Create Client ID in Google Developers Console
Download this release of Gerrit and Google-OAuth-provider plugin
Re-initialize Gerrit: java -jar gerrit-2.10.1-4-a83387b.war init -d gerrit_site_path
And restart it: gerrit_site_path/bin/gerrit.sh restart
To Jenkins is new Google-login plug-in.

ruby rails passenger apache2 using Basic LDAP authentication in httpd.conf

I have a site that I want to force a user to log in via LDAP before they can see the front page of the website. This works with generic webpages fine, but doesn't work with a rails site running passenger on apache2. I've seen some references that this is because passenger doesn't respect the Directory command (or picks up before it gets to that directive). Is there a way to make this happen or do I need to add devise to the site instead?
<VirtualHost *:80>
ServerName test.example.com
DocumentRoot "/www/software/rails_site/current/public"
ErrorLog "/www/logs/software/rails_site/error_log"
CustomLog "/www/logs/software/rails_site/access_log" common
DirectoryIndex index.html
RailsEnv production
<Directory "/www/software/rails_site/current/public">
AuthType Basic
AuthName "Secure portal"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "info"
AuthLDAPBindPassword "pass"
require ldap-user usernames
Order deny,allow
Satisfy Any
</Directory>
</VirtualHost>
The above doesn't prevent the site from loading or do any challenge when first trying to load the site.

Try placing the authentication directives inside a Location instead of a Directory so that they will be triggered first by the incoming URI. Apparently Passenger has an order of operations associated with Directory directives.
This old post confirms that what you're trying to do (at least used to be) possible:
http://groups.google.com/group/phusion-passenger/browse_thread/thread/bb0ccee6b4a45bc0/429a34fb66dbde6d

Httpd.conf multiple VirtualHost sections (was: Mono ASP.NET MVC AutoHosting issues)

I'm doing exactly this by trying to disable AutoHosting. However now I get "Failed to connect to mod-mono-server after several attempts to spawn the process." in the logs. The path is correct
Here's my config:
<VirtualHost *:80>
ServerName myserver.com
DocumentRoot /home/abe/html/
MonoServerPath myserver.com "/usr/local/bin/mod-mono-server2"
MonoDebug myserver.com true
MonoSetEnv myserver.com MONO_IOMAP=all
MonoAutoApplication disabled
MonoApplications myserver.com "/:/home/abe/html/"
<Location "/">
Allow from all
Order allow,deny
MonoSetServerAlias myserver.com
SetHandler mono
</Location>
</VirtualHost>
Fixed: see the answer below.
With the fix, though, how can I get the configuration I want w/o doing the dangerous process of editing the auto-gen'd httpd.conf?

Turns out this was an issue with the VirtualHost being defined twice - once in httpd.conf and once in vhosts.conf. So the fix was to use just one VirtualHost block. But this causes another problem, unfortunately. I'm in a hosted environment and httpd.conf is auto-generated so I really shouldn't be editing it directly. However it is safe to edit vhosts.conf. VirtualHost is automatically set by my host and injected into httpd.conf.

Configuring Ruby On Rails App in a subdirectory under Apache

I've got apache2.2 on windows. I'm trying to serve both subversion (/svn) and redmine (/redmine). I have svn running fine with this config:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
...
</Location>
This is working great--my svn users can hit http://mybox/svn just fine.
Now I want to add another directory for a rails app (RedMine):
I followed the advice in this question to setup a mongrel server and have apache proxy clients through to it. It works fine if I make it the root--but I'm having trouble making it in a subdirectory:
<Location /redmine>
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
Any suggestions?

Here's what I had to change:
I removed the trailing slash:
<Location /redmine>
ProxyPass http://localhost:3000
ProxyPassReverse http://localhost:3000/
</Location>
And in my rails app:
# added to end of file C:\redmine\config\environment.rb
ActionController::AbstractRequest.relative_url_root = "/redmine"
Now it's working!
I wasn't completely happy with this approach--I ran into some redirect issues. This is another attempt which seems to be working well so far.
Fast CGI and Fast CGI without VirtualHosts
Tuning Fast CGI
This second approach seems better.
UPDATE:
As noted in the comments, for more recent apps running on Rails 2.3.2+, use this instead:
config.action_controller.relative_url_root = '/redmine'
I put it in the new additional_environment.rb file.

In case you still wish to use Mongrel + Apache using a reverse proxy here is how I solved the same issue on our system (Win2k3, Apache 2.2, trunk of Redmine). The secret is to install your mongrel service using --prefix /redmine which tells it to serve it from http://localhost:port/redmine
In Apache httpd.conf (or suitable include file):
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfModule mod_proxy.c>
ProxyRequests Off
#No need to forward on static content - let apache do it faster
ProxyPass /redmine/images !
ProxyPass /redmine/stylesheets !
ProxyPass /redmine/javascript !
# Remove the following entry on public sites as this is insecure
ProxyPass /redmine/plugin_assets !
ProxyPass /redmine/help !
ProxyPass /redmine http://localhost:4000/redmine
ProxyPassReverse /redmine http://localhost:4000/redmine
ProxyPreserveHost On
#continue with other static files that should be served by apache
Alias /redmine/images C:/Repositories/redmine/public/images/
Alias /redmine/stylesheets C:/Repositories/redmine/public/stylesheets/
Alias /redmine/javascript C:/Repositories/redmine/public/javascript/
# Remove the following on public sites as this is insecure
Alias /redmine/plugin_assets C:/Repositories/redmine/public/plugin_assets/
Alias /redmine/help C:/Repositories/redmine/public/help/
</IfModule>
# Make sure apache can see public and all subfolders - not suitable for public sites
<Directory "C:/Repositories/redmine/public/">
Allow from all
Order allow,deny
</Directory>
Mongrel is installed as such:
mongrel_rails service::install --prefix /redmine -N redmine_prod -p 4000 -e production -c C:\Repositories\redmine
Hope that helps someone. Initially, I tried setting up Apache + fastcgi etc but I lost more precious hair - it's not Windows friendly.
P.s. I found this PDF a very useful referene: http://www.napcsweb.com/howto/rails/deployment/RailsWithApacheAndMongrel.pdf
/Damien

Passenger (http://modrails.com) is a better alternative to fastcgi because it's very easy to configure I would recommend using this for hosting your rails apps using a similar configuration to what you have now

I agree with Radar. Passenger is really easy to set up, lets Rails apps share memory, removes the burden of managing a cluster of mongrels and requires virtually no configuration. All you need are a special 'config.ru' file with a RackUp config and a DocumentRoot pointing to RAILS_ROOT/public set in Apache.