Drupal is a CMS written in PHP. It can works with external modules to extends its functionalities. One of this module can be used to delegate authentication server to the web server: Webserver Auth.
Install Webserver Auth module, by downloading it, and unarchive it in the drupal modules/ directory.
Go on Drupal administration interface and enable the Webserver Auth module.
Configure Drupal virtual host like other protected virtual host.
Attention
If you are protecting Drupal with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable.
<VirtualHost *:80>
ServerName drupal.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
server {
listen 80;
server_name drupal.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post data
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LL::NG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Go to the Manager and create a new virtual host for Drupal.
Just configure the access rules.
If using LL::NG as reverse proxy, configure the Auth-User header, else no headers are needed.
With the above solution, all the Drupal site will be protected, so no anonymous access will be allowed.
Attention
You cannot use the unprotect rule because Drupal navigation is based on query strings (?q=admin, ?q=user, etc.), and unprotect rule only works on URL patterns.
You can create a special virtual host and use Apache rewrite module to switch between open and protected hosts:
<VirtualHost *:80>
ServerName drupal.example.com
# DocumentRoot
DocumentRoot /var/www/html/drupal/
DirectoryIndex index.php
# Redirect admin pages
RewriteEngine On
RewriteCond %{QUERY_STRING} q=(admin|user)
RewriteRule ^/(.*)$ http://admindrupal.example.com/$1 [R]
LogLevel warn
ErrorLog /var/log/httpd/drupal-error.log
CustomLog /var/log/httpd/drupal-access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName admindrupal.example.com
# SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler
# DocumentRoot
DocumentRoot /var/www/html/drupal/
DirectoryIndex index.php
LogLevel warn
ErrorLog /var/log/httpd/admindrupal-error.log
CustomLog /var/log/httpd/admindrupal-access.log combined
</VirtualHost>