Drupal

Presentation

Drupal is a CMS written in PHP. It can works with external modules to extends its functionalities. One of this module can be used to delegate authentication server to the web server: Webserver Auth.

Installation

Install Webserver Auth module, by downloading it, and unarchive it in the drupal modules/ directory.

Configuration

Drupal module activation

Go on Drupal administration interface and enable the Webserver Auth module.

Drupal virtual host

Configure Drupal virtual host like other protected virtual host.

If you are protecting Drupal with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable.
  • For Apache:
<VirtualHost *:80>
       ServerName drupal.example.com
 
       PerlHeaderParserHandler Lemonldap::NG::Handler
 
       ...
 
</VirtualHost>
  • For Nginx:
server {
  listen 80;
  server_name drupal.example.com;
  root /path/to/application;
  # Internal authentication request
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH "";
    # Keep original hostname
    fastcgi_param HOST $http_host;
    # Keep original request (LLNG server will received /llauth)
    fastcgi_param X_ORIGINAL_URI  $request_uri;
  } 
 
  # Client requests
  location / {
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    try_files $uri $uri/ =404;
 
    ...
 
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
  }
  location / {
    try_files $uri $uri/ =404;
  }
}

Drupal virtual host in Manager

Go to the Manager and create a new virtual host for Drupal.

Just configure the access rules.

If using LL::NG as reverse proxy, configure the Auth-User header, else no headers are needed.

Protect only the administration pages

With the above solution, all the Drupal site will be protected, so no anonymous access will be allowed.

You cannot use the unprotect rule because Drupal navigation is based on query strings (?q=admin, ?q=user, etc.), and unprotect rule only works on URL patterns.

You can create a special virtual host and use Apache rewrite module to switch between open and protected hosts:

<VirtualHost *:80>
    ServerName drupal.example.com
 
    # DocumentRoot
    DocumentRoot /var/www/html/drupal/
    DirectoryIndex index.php
 
    # Redirect admin pages
    RewriteEngine On
    RewriteCond  %{QUERY_STRING} q=(admin|user)
    RewriteRule ^/(.*)$ http://admindrupal.example.com/$1 [R]
 
    LogLevel warn
    ErrorLog /var/log/httpd/drupal-error.log
    CustomLog /var/log/httpd/drupal-access.log combined
</VirtualHost>
<VirtualHost *:80>
    ServerName admindrupal.example.com
 
    # SSO protection
    PerlHeaderParserHandler Lemonldap::NG::Handler
 
    # DocumentRoot
    DocumentRoot /var/www/html/drupal/
    DirectoryIndex index.php
 
    LogLevel warn
    ErrorLog /var/log/httpd/admindrupal-error.log
    CustomLog /var/log/httpd/admindrupal-access.log combined
</VirtualHost>