I just stood up my first docker image on my local computer, and have the app working next to the CGI variables I need. How do I get those when I hit the web page of the user hitting the web page. CGI.Auth_user in particular?
You'll need to provide us more info. Many of the CGI vars (like that one) are actually controlled by the web server that fronts CF. What are you using?
By default, the CF Docker images run your traffic through the built-in web server within CF (port 8500). You may be using that (you'd know, based on whethr you exposed that port in your docker run or compose file, or other orchestration config).
Or you could well have implemented some web server like nginx or apache, or even IIS, whether within a container also or on your host (talking to the container).
Whichever web server you are using, you would then have to have enabled security for the web site in question, since you're expecting to see cgi.auth_user variable to be populated . What form of security did you enable in teh web server you're using?
Or might it be that you did not enable any other web server, and are just using "the one in the CF docker image". In that case, it has no such web site security enabled, by default. So you should not expect to see that variable populated. If it's simply that it's blank, it should be, so you should change your code to work accordingly.
Or enable security within whichever web server you are using to talk to the CF container.
Let us know what you think.
Thanks Charlie ,
I'm using what comes default in docker, no iis or apache. currently, I'm only using docker on my local desktop to test and dev with. I have a way to fudge the nt username for now. I didn't know I had another step to take to get the cgi vars, in ye olden days I just turned in iis I just turned on the windows authentication method. Moving forward I believe that the prod environment won't be windows and i don't know what I would need to do to get that going. do you know of a resource i can look at that might help to get started with that?
by the way, caught a few of your sessions at the 2019 CF summit, good stuff, learned a lot!
The Docker image uses the built-in CF web server, which is basically just Tomcat. So I'd look at enabling basic authentication in Tomcat. I haven't actually done this with Tomcat - it's easier to do with regular "production" web servers like IIS and Apache HTTPD - but it's definitely doable. Here's the first resource I found when searching for "basic authentication tomcat":
Dave Watts, Eidolon LLC
I'll add just a bit to Dave's helpful answer (and thanks for your kind regards, BeRadB).
Again, do you need to even bother? Are you really planning to use this Docker implementation for production? If not, couldn't you just change the code to test if cgi.auth_user is empty, and have the code handle the situation differently? Or do you fear it would require changes in many places?
If so, then sure, you can try what Dave proposes, or again you CAN configure things so that your regular web server (IIS) can call into the container, and if you set up that IIS to use authentication, then as before it would pass the needed headers into the CF to populate the CGI variables.
If you get motivated to try that, a challenge is that you need to run the CF web server config tool on the main machine (where Docker and IIS are installed), and then tell it to connect to the CF instance that is WITHIN the Docker container. It's mostly just about exposing in Docker the AJP port within the CF container (which defaults to 8018 for CF2018), and then telling the wsconfig tool (in the host) to point to that port.
But beware that if you already have CF 2018 running on your host, then THAT's using port 8018. So you would tell Docker to expose the 8018 in the container as something else, like with -p 8028:8018, and then tell the CF wsconfig tool on the host to connect to the container's port as now 8028.
If you struggle with this and prefer directed help (remote, via screenshare), I can help via the consulting page at carehart.org. (Sadly you won't find too many resources talking about the above, and I have not written any yet but I do plan to.)
It sounds like you may need to configure the RemoteIpValve in Tomcat to let it know that the request was proxied over a secure transport: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
Pete, can you share how beradb's request is being proxied over a secure transport? Did I miss something, or have guys perhaps shared info outside of this thread, like slack, twitter, or fb?
If that's not it, can you clarify for readers how you might be supposing it's happening? Thx.