Galaxy + Apache + External Authentication

Question: Galaxy + Apache + External Authentication

9.8 years ago by

United States

Assaf Gordon • 320 wrote:

Hello, I'm trying to setup galaxy to run with apache and external authentication - and I can't get this to work. (This is a not a galaxy question per se, more of an apache question, but hopefully you can still help me). First step was to setup apache/galaxy with mode rewrite - works perfectly. I've added these two lines to a 'conf' file in /etc/httpd/conf.d: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] Browsing to http://myserver/galaxy indeed goes to galaxy and works ok. Then, I've tested a simple authentication directive (independent of galaxy): Alias /galaxy "/home/gordon/galaxy" <directory home="" gordon="" galaxy=""> AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/httpd_passwords Require user gordon </directory> And this also works OK. Now I want to combine the two - but it doesn't work. My "ReWriteRule" are ignored when they are inside a <directory> clause. I've also tried <location> - same results. Any ideas ? Thanks, Gordon

galaxy • 2.0k views

ADD COMMENT • link •

modified 9.8 years ago by Nate Coraor ♦ 3.2k • written 9.8 years ago by Assaf Gordon • 320

9.8 years ago by

Nate Coraor ♦ 3.2k

United States

Nate Coraor ♦ 3.2k wrote:

Gordon, The RewriteRules should work with a Location directive, but outside of it: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location galaxy=""> AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/httpd_passwords Require user gordon </location> I imagine the Alias directive would cause problems with the RewriteRules. --nate

ADD COMMENT • link written 9.8 years ago by Nate Coraor ♦ 3.2k

Thank you for your help - I finally got it working. Every user in the domain is automatically logged-in - it's beautiful. I should have done this a long time ago. Interestingly, the "REMOTE_USER" rule didn't work for me - I'm using mod_authzldap and for some unknown reason using the rewrite rules from galaxy's wiki causes HTTP_REMOTE_USER to always be "(null)" when used with the proxy rules (the HTTP_REMOTE_USER was fine when passed to php scripts without proxy). The apache configuration clause which works for me is: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location "="" galaxy"=""> AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user # mod_authzldap creates 'AUTHENTICATE_XXXX' environment variables # for the arguments in the LDAP URL. # Convert the authenticated user name into a HTTP_REMOTE_USER. RequestHeader add REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </location> While trying to make sense of this mess (apache + mod_rewrite + mod_proxy + mod_authzldap + galaxy ), the following tricks helped: --1-- Trying mod_rewrite and apache-proxy without authentication: RewriteEngine on ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] At first I got "HTTP-500 Server Error". The /var/log/httpd/error_log file showed the following error: [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (*) failed This is caused by SELinux (installed by default on CentOS) that blocks the apache process from initiating network connections. The following command fixed it: $ sudo /usr/sbin/setsebool httpd_can_network_connect 1 More info at http://www.techiegyan.com/?p=178 --2-- Checking the authentication clause without rewrite rules and without proxy. <directory "="" var="" www="" html="" protected"=""> AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user </directory> And inside "/var/www/html/protected", create a simple PHP script which shows the server variables: $ cat /var/www/html/protected/index.php \n"; print_r($_SERVER); echo "\n"; ?> When you browse to http://[server]/protected, and login with the right username and password, you get a list of all the server variables (That's how I discovered the 'AUTHENTICATE_SAMACCOUNTNAME'): Array ( [ ... many other variables not shown ... ] [SCRIPT_URL] => /protected/ [SCRIPT_URI] => http://XXXXXXX/protected [AUTHENTICATE_SAMACCOUNTNAME] => gordon [HTTP_HOST] => XXXXXX [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/protected/index.php [REMOTE_PORT] => 42695 [REMOTE_USER] => gordon [AUTH_TYPE] => Basic [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /protected/ [SCRIPT_NAME] => /protected/index.php [PHP_SELF] => /protected/index.php [PHP_AUTH_USER] => gordon [PHP_AUTH_PW] => XXXXXXXXXX [REQUEST_TIME] => 1235107649 ) Althought "REMOTE_USER" is listed as a valid server variable, I could not get it to work with the proxy, and had to look for another solution. --3-- Add the following lines in "./lib/galaxy/web/framework/middleware/remoteuser.py", line 71: for k,v in environ.items(): sys.stderr.write ( "%s:\t%s\n" % ( k, v ) ) With these, galaxy prints every environment variable it receives, and debugging gets much easier. You can quickly see if there is an HTTP_REMOTE_USER variable, and whether it contains valid data or the string "(null)". --4-- Add a fixed HTTP_REMOTE_USER value in the apache configuration. This tests the proxy connection between apache and galaxy: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location "="" galaxy"=""> RequestHeader add REMOTE_USER gordon </location> If everything is setup correctly, galaxy should automatically login with the user 'gordon'. Together with step 3, you can easily see if external authentication works or not. --5-- Try to get the authenticated user name from the authentication module to the HTTP_REMOTE_USER variable. The Galaxy wiki (http://g2.trac.bx.psu.edu/wiki/HowToInstall/ApacheProxy) recommends putting the following statements: RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e These didn't work for me. To debug it, I added the following statements: RewriteLog /tmp/rewrite.log RewriteLogLevel 9 And then "tail -f /var/rewrite.log". On my server, it always showed: ... RewriteCond: input='false' pattern='^false$' => matched RewriteCond: input='' pattern='(.+)' => not-matched ... Which means the first condition (IS_SUBREQ) matched, but the second condition (LA-U:REMOTE_USER) never matched - because REMOTE_USER environment variable was empty or null. As I've noted, the solution in my case was to use a different variable (AUTHENTICATE_SAMACCOUNTNAME). Maybe there's a way to get REMOTE_USER to work - but I don't know it. Regards, Gordon. Nate Coraor wrote, On 02/19/2009 12:33 PM:

ADD REPLY • link written 9.8 years ago by Assaf Gordon • 320

Similar posts • Search »