Mimic .htaccess or some other type of password protecting with webrick

Asked 15/11, 2011 at 20:9 Answered 24/11, 2011 at 2:6

Solved ruby-on-rails security .htaccess webrick

I have a rails app that I enjoy developing on a sever much more than locally, slow computer, the problem is even though on the server the development environment is great I need a way to look at the pages I am working on live.

This is pretty easy if I didn't care about the app being visible to the public but it cannot be visible anywhere except on the production server.

So I had the idea of just putting a basic httpauth up and then only I can see the rails app but it is still hosted on the server.

If I were to be doing this with apache/php I would just use a .htaccess file to protect the directory but I have no clue how to protect the application from the public using WEBrick.

If anyone has any idea I really would like to have no code changes or only code changes in files I can .gitignore so deployment is still easy.

Boyd answered 15/11, 2011 at 20:9 Comment(2)

Are you stuck to WEBrick or would setting up apache + passenger be an option for you? Then it would be easy to just use an .htaccess or .passwd file for basic authentication. In my mind, you should not introduce any coding in you app at all that is dependent on WEBrick. – Gentoo 20/11, 2011 at 17:9

It's for a development env so I dont think passenger is a good idea – Boyd 20/11, 2011 at 18:17

You can restrict access by using Rack based basic auth or IP white listing

Basic Auth

Add the following to your config/environments/development.rb

config.middleware.use Rack::Auth::Basic, "Beta Access" do |username, password|
  'secret' == password
end

IP White Listing

I found two gems for this purpose:

rack-auth-ip

rack-ip-whitelist

I would use rack-auth-ip as it has been there for some time. Add the following to your config/environments/development.rb

config.middleware.use Rack::Auth::IP, %w( YourIPAddress )

Now, the instance is accessible only if the originating IP is in the white list.

Loesch answered 21/11, 2011 at 0:18 Comment(1)

I have added a section for basic auth in my answer, take a look. – Loesch 21/11, 2011 at 23:41

This question Ruby Webrick HTTP Authentication seems to give an answer

Here's a link to some Webrick docs. It looks like you need something like so, from the above link:

realm = "Gnome's realm"
start_webrick {|server|
  server.mount_proc('/convenient_basic_auth') {|req, resp| 
    HTTPAuth.basic_auth(req, resp, realm) {|user, pass|
      # this block returns true if
      # authentication token is valid
      user == 'gnome' && pass == 'supersecretpassword'
    }
    resp.body = 
      "You are authenticated to see the super secret data\n"
  }
}

and a link to the rdocon WEBrick/HTTPAuth

config = { :Realm => 'DigestAuth example realm' }

htpasswd = WEBrick::HTTPAuth::Htpasswd.new    'my_password_file'
htpasswd.auth_type = WEBrick::HTTPAuth::DigestAuth
htpasswd.set_passwd config[:Realm], 'username', 'password'
htpasswd.flush

Alloplasm answered 18/11, 2011 at 16:17 Comment(1)

So for a rails 3.1 app this would require modifying the rails gem? – Boyd 18/11, 2011 at 23:18

I'm sorry if I'm missing something here, but why wouldn't Rails built-in http basic authentication work for you?

class ApplicationController < ActionController::Base
  protect_from_forgery

  http_basic_authenticate_with :name => "dhh", :password => "hatezgroupon", :if => lambda { Rails.env.development? }
end

Footstall answered 24/11, 2011 at 2:6 Comment(0)

Unless you're stuck using WEBrick, a better solution would be to use nginx which proxys to unicorn. Here is a good tutorial: here

Puckery answered 21/11, 2011 at 1:11 Comment(0)

Recommended topics

Hot tags